[Samba] Samba 4 posixGroup mapping
steve at steve-ss.com
Tue Feb 7 07:38:16 MST 2012
>> I use Samba3/OpenLDAP in production and create my users using similar
>> scripts, so no it shouldn't be difficult, something like:
>> samba-tool user add $1 ..........
>> echo "dn: cn=$1,cn=Users,dc=hh3,dc=site
>> changetype: modify
>> add: objectclass
>> objectclass: posixaccount
>> add: objectclass
>> objectclass: shadowaccount
>> add: uidnumber
>> uidnumber: $2
>> add: gidnumber
>> gidnumber: $3
>> unixhomedirectory: $4
>> add: loginshell
>> loginshell: $5">/some/temporary-file
>> ldbmodify -f /some/temporary-file
>> rm /some/temporary-file
>> Please take into account that it is just a very rough example I've put
>> up in less than a minute.
> We use Samba3/openldap in real life too:) When I'm not there, they use
> The Yast GUI which has quite a nice point and click LDAP user and
> group module which links to the samba3 schema.
> Your echo ...> /some/temporary-file is a good idea. Would you include
> a default group for the user perhaps? e.g.
> samba-tool group addmembers $6 $1
> ($6 would already exist)
> Looking good. Thanks for your time. Will report back.
Hi Geza, hi everyone.
I had a go at the script. I called it s4user and got it down to 4
s4user <cn> <uid> <gid> <windows-group>
chmod +x s4user
echo "Creating s4 posix user "$1
echo "Pls enter pwd for "$1
samba-tool user add $1
echo "dn: cn=$1,cn=Users,dc=hh3,dc=site
loginshell: /bin/bash" > $1
#ldbmodify -f /some/temporary-file
ldapmodify -h 192.168.1.3 -D cn=Administrator,cn=Users,dc=hh3,dc=site -f
$1 -Y GSSAPI
samba-tool group addmembers $4 $1
chown $1:$4 /home/CACTUS/$1
./s4user steve6 3000030 2000 suseusers
Creating s4 posix user steve6
Pls enter pwd for steve6
User 'steve6' created successfully
SASL/GSSAPI authentication started
SASL username: Administrator at HH3.SITE
SASL SSF: 56
SASL data security layer installed.
modifying entry "cn=steve6,cn=Users,dc=hh3,dc=site"
Added members to group suseusers
hh3:/home/steve # exit
steve at hh3:~> su steve6
Warning: Your password will expire in 41 days on Tue 20 Mar 2012 14:52:02
steve6 at hh3:/home/steve> cd ../CACTUS/steve6
steve6 at hh3:~> touch hola
steve6 at hh3:~> ls -la
drwxr-xr-x 2 steve6 suseusers 4096 Feb 7 14:53 .
drwxr-xr-x 10 root root 4096 Feb 7 14:52 ..
-rw-r--r-- 1 steve6 suseusers 0 Feb 7 14:53 hola
-rw------- 1 steve6 suseusers 48 Feb 7 14:52 .xauthoa0jlX
steve6 at hh3:~>
I need to tidy the script up a bit and maybe put some stuff in like
checking for the nslcd pid and put a 'usage:' message.
Just a couple of qns.
1. I couldn't get ldbmodify to work, which is why I used ldapmodify
instead. Any idea of the syntax?
2. This now bypasses winbind completely. I just happened to use a uid in
the range that winbind uses. Are there any rules for choosing uid numbers?
4. Is there an easy way to find the next free uid or reuse one from a
More information about the samba