[Samba] samba-tool group add omits RFC2307 attributes (4.0.9 as AD DC)
Werthmuller, Derek
dwerthmu at ctg.albany.edu
Fri Nov 15 12:55:17 MST 2013
I don't believe that the samba-tool allows you to manage group id's (gid) the same as when you create new users. Like
samba-tool user add <username> --uid-number=5000 gid-number=5000 home-directory=/exports/users/<usersname> login-shell=/bin/bash
Would be great if you could do: /usr/bin/samba-tool group add <groupname> gid-number=6000
Have seen references on the net about using ldapmodify to add/modify the gid for a group created via samba-tool
-bash-4.1$ /usr/bin/samba-tool -V
4.1.1-SerNet-RedHat-7.el6S
bash-4.1$ /usr/bin/samba-tool group add -h
Options:
-h, --help show this help message and exit
-H URL, --URL=URL LDB URL for database or target server
--groupou=GROUPOU Alternative location (without domainDN counterpart) to
default CN=Users in which new user object will be
created
--group-scope=GROUP_SCOPE
Group scope (Domain | Global | Universal)
--group-type=GROUP_TYPE
Group type (Security | Distribution)
--description=DESCRIPTION
Group's description
--mail-address=MAIL_ADDRESS
Group's email address
--notes=NOTES Groups's notes
Samba Common Options:
-s FILE, --configfile=FILE
Configuration file
-d DEBUGLEVEL, --debuglevel=DEBUGLEVEL
debug level
--option=OPTION set smb.conf option from command line
--realm=REALM set the realm name
Credentials Options:
--simple-bind-dn=DN
DN to use for a simple bind
--password=PASSWORD
Password
-U USERNAME, --username=USERNAME
Username
-W WORKGROUP, --workgroup=WORKGROUP
Workgroup
-N, --no-pass Don't ask for a password
-k KERBEROS, --kerberos=KERBEROS
Use Kerberos
--ipaddress=IPADDRESS
IP address of server
Version Options:
-V, --version Display version number
-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of steve
Sent: Monday, October 28, 2013 2:39 AM
To: samba at lists.samba.org
Subject: Re: [Samba] samba-tool group add omits RFC2307 attributes (4.0.9 as AD DC)
On Mon, 2013-10-28 at 10:55 +1100, Trent W. Buck wrote:
> After a classicupgrade, I noticed some users and many groups were
> missing from samba4, that had been in samba3's LDAP.
>
> "No problem," I thought. "I'll just 'samba-tool group add' them."
>
> Except that groups created that was don't have things like gidNumber
> and
> objectClass: posixGroup, which means that nss_ldapd can't see them.
>
> Can I tell samba-tool to manage RFC2307 attributes as well as AD
> attributes?
Not with 4.0.9. You need 4.1 to be able to do that with samba-tool. With
4.1:
samba-tool group create --help
will get you a list of rfc2307 syntax.
> I can't find anything relevant in smb.conf(5) manpage.
>
> I wouldn't even care about this, but nss_winbind sees fewer accounts
> than wbinfo which in turn sees fewer accounts than samba-tool! So I
> gave up and fell back to nss-ldapd, thinking I was saved -- but now it
> seems workaround only works for classicupgraded accounts, not new ones.
>
classicupgrade accounts that had gidNumber will retain it. New groups do not have the gidNumber added. You can easily add it yourself using ldbmodify immediately after the group is created. For the Samba4 schema, you do not need to add the posixGroup class.
> I also thought about telling nslcd.conf to turn the SIDs into posix
> UIDs and GIDs on its own, but I can't see how to do that. The AD
> schema appears to store objectSid as a binary attr. I'm not even sure
> how to dump the ad schema as I would have examined cn=config in OpenLDAP.
There is a copy of the schema at:
YOURSAMBADIR/share/setup/ad-schema
If you want everything to just work, I'd suggest sssd v1.10 or newer which has a very good AD backend for stuff like you want.
HTH
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list