[Samba] uidNumber. ( Was: What is --rfc2307-from-nss ??)

[Rowland Penny]

On 02/12/14 08:29, Greg Zartman wrote:
> On Mon, Dec 1, 2014 at 2:05 AM, Lars Hanke <debian at lhanke.de> wrote:
>
>> If you like to manage Unix users from the Unix side and ldbedit seems too
>> awkward, you might try my Python script: https://github.com/laotse/
>> SambaPosix
>>
>> I appreciate comments, experiences, and contributions to make it a useful
>> tool.
>>
>
> Thanks Lars.   I'm working on building a perl API for Samba 4 for use with
> the SME Server (www.koozali.org).  Your python is a great check for what
> needs to go into a perl API.
>
> I think I've finally got this all sorted out.  After I setup a user using
> samba-tool user create, I'll pull the RID for this new user and then set
> the UID/GID = RID + 3000.   I'll then set xidNumber = UIDNumber(GIDNumber),
> as appropriate.

If you do this, you must ensure that ADUC is never used to add Unix 
attributes to a user, ADUC will never work like this.

>
> The other attributes can be set in a similar fashion as you have done.
>
> I'm not finding where we need these though for *nix auth:
>
> uid
> msSFU30Name
> msSFU30NisDomain

I do not think that these are really required at the moment, but they 
are added by ADUC. My personal feelings are, because we are working with 
what is basically a windows server, we need to do things the windows 
way. This will stop problems happening if/when users/groups etc are 
added by ADUC, i.e. if windows does it, we should do it and vice versa. 
The problem, as I see it, is that Unix sysadmins are used to doing 
things the Unix way against OpenLDAP etc. This was ok when dealing with 
just Unix products, but now they are dealing with a quasi windows 
product and are trying to bend it to Unix. This, in my opinion, will 
only lead to disaster, you need to work with AD, not try and bend it to 
suit your needs.

Rowland
> Can someone clarify what these are needed for?  SSSD doesn't seem to use
> them.
>
> Greg