[Samba] Samba 4 posixGroup mapping

steve steve at steve-ss.com
Tue Feb 7 07:38:16 MST 2012


>> Hi,
>>
>> I use Samba3/OpenLDAP in production and create my users using similar
>> scripts, so no it shouldn't be difficult, something like:
>>
>> #!/bin/sh
>>
>> samba-tool user add $1 ..........
>>
>> echo "dn: cn=$1,cn=Users,dc=hh3,dc=site
>> changetype: modify
>> add: objectclass
>> objectclass: posixaccount
>> -
>> add: objectclass
>> objectclass: shadowaccount
>> -
>> add: uidnumber
>> uidnumber: $2
>> -
>> add: gidnumber
>> gidnumber: $3
>> -
>> add:unixhomedirectory
>> unixhomedirectory: $4
>> -
>> add: loginshell
>> loginshell: $5">/some/temporary-file
>>
>> ldbmodify -f /some/temporary-file
>>
>> rm /some/temporary-file
>>
>> Please take into account that it is just a very rough example I've put
>> up in less than a minute.
>>
>> Regards
>>
>> Geza
> We use Samba3/openldap in real life too:) When I'm not there, they use 
> The Yast GUI which has quite a nice point and click LDAP user and 
> group module which links to the samba3 schema.
>
> Your echo ...>  /some/temporary-file is a good idea. Would you include 
> a default group for the user perhaps? e.g.
> samba-tool group addmembers $6 $1
> ($6 would already exist)
>
> Looking good. Thanks for your time. Will report back.
> Cheers,
> Steve
>
>
Hi Geza, hi everyone.
I had a go at the script. I called it s4user and got it down to 4 
parameters:
s4user <cn> <uid> <gid> <windows-group>

chmod +x s4user
cat s4user
#!/bin/sh
echo "Creating s4 posix user "$1
echo "Pls enter pwd for "$1
samba-tool user add $1
echo "dn: cn=$1,cn=Users,dc=hh3,dc=site
changetype: modify
add: objectclass
objectclass: posixaccount
-
add: uidnumber
uidnumber: $2
-
add: gidnumber
gidnumber: $3
-
add:unixhomedirectory
unixhomedirectory: /home/CACTUS/$1
-
add: loginshell
loginshell: /bin/bash" > $1
#ldbmodify -f /some/temporary-file
ldapmodify -h 192.168.1.3 -D cn=Administrator,cn=Users,dc=hh3,dc=site -f 
$1 -Y GSSAPI
samba-tool group addmembers $4 $1
mkdir /home/CACTUS/$1
chown $1:$4 /home/CACTUS/$1

./s4user steve6 3000030 2000 suseusers
Creating s4 posix user steve6
Pls enter pwd for steve6
New Password:
User 'steve6' created successfully
SASL/GSSAPI authentication started
SASL username: Administrator at HH3.SITE
SASL SSF: 56
SASL data security layer installed.
modifying entry "cn=steve6,cn=Users,dc=hh3,dc=site"
Added members to group suseusers
hh3:/home/steve # exit
exit
steve at hh3:~> su steve6
Password:
Warning: Your password will expire in 41 days on Tue 20 Mar 2012 14:52:02
CET
steve6 at hh3:/home/steve> cd ../CACTUS/steve6
steve6 at hh3:~> touch hola
steve6 at hh3:~> ls -la
total 12
drwxr-xr-x  2 steve6 suseusers 4096 Feb  7 14:53 .
drwxr-xr-x 10 root   root      4096 Feb  7 14:52 ..
-rw-r--r--  1 steve6 suseusers    0 Feb  7 14:53 hola
-rw-------  1 steve6 suseusers   48 Feb  7 14:52 .xauthoa0jlX
steve6 at hh3:~>

Yeah!
I need to tidy the script up a bit and maybe put some stuff in like 
checking for the nslcd pid and put a 'usage:' message.

Just a couple of qns.
1. I couldn't get ldbmodify to work, which is why I used ldapmodify 
instead. Any idea of the syntax?
2. This now bypasses winbind completely. I just happened to use a uid in 
the range that winbind uses. Are there any rules for choosing uid numbers?
4. Is there an easy way to find the next free uid or reuse one from a 
deleted user?
Cheers,
Steve



More information about the samba mailing list