[Samba] Creating samba4/AD users from ADUC
steve
steve at steve-ss.com
Wed Feb 5 03:49:31 MST 2014
On Tue, 2014-02-04 at 11:40 -0500, Michael Brown wrote:
> We have a couple Samba4 AD domains we've implemented and I've noticed a
> difference between how users look when created via ADUC versus samba-tool.
>
> Created via ADUC, the following extra attributes are added:
> msSFU30Name: bilbo
> msSFU30NisDomain: netdirect
> unixHomeDirectory: /home/bilbo
> unixUserPassword: ABCD!efgh12345$67890
>
> Created via samba-tool, the following extra attributes are added:
> objectClass: posixAccount
> uid: bilbo
>
Different;)
> (hey, why can't I tell samba-tool to give the user a unixHomeDirectory :( )
Patches needed:
https://db.tt/mDPVdg3G
https://db.tt/YTKcaiPd
Backup and overwrite:
cp samdb.py /usr/local/samba/lib64/python2.7/site-packages/samba
cp user.py /usr/local/samba/lib64/python2.7/site-packages/samba/netcmd
>
> In my ldap.conf, I'm using:
> nss_map_attribute uid sAMAccountName
> nss_map_attribute uniqueMember member
> nss_map_attribute homeDirectory unixHomeDirectory
> nss_map_attribute gecos displayName
> pam_login_attribute sAMAccountName
> pam_filter objectclass=posixAccount
> pam_password ad
>
You'll also need to add:
uidNumber
and
gidNumber
to User DN's if you already haven't.
There's a slick replacement for nss-ldap: nss-ldapd and specifically for
Unix in AD, sssd and winbind.
> What are people doing for maintaining their Unix accounts in AD? Should
> all the unix accounts also have oc posixAccount?
>
No. It should not be visible in the user DN.
> Also, looks like samba-tool isn't adding the msSFU30NisDomain - this
> makes the Unix attributes not enabled in ADUC. It should probably add
> that, yes?
>
Unfortunately Samba4 does not behave as a m$ server as far as Unix
clients are concerned. Fortunately, it doesn't need to since all the
attributes we need can be added directly via samba-tool, apart from
unixHomeDirectory as above. If you wish to use ADUC then there are some
schema mods to make. I'm sure Rowland will chip in with those should you
decide to go ahead.
Conclusion: Unix against a Samba4 DC needs workarounds. All really
simple if you know what you're doing though.
Cheers and HTH,
Steve
> M.
>
> --
> Michael Brown | `One of the main causes of the fall of
> Systems Consultant | the Roman Empire was that, lacking zero,
> Net Direct Inc. | they had no way to indicate successful
> ☎: +1 519 883 1172 x5106 | termination of their C programs.' - Firth
>
More information about the samba
mailing list