[Samba] Creating samba4/AD users from ADUC

Stéphane PURNELLE stephane.purnelle at corman.be
Wed Feb 5 03:53:50 MST 2014 

Who write theses patches ?


-----------------------------------
Stéphane PURNELLE                         Admin. Systèmes et Réseaux 
Service Informatique       Corman S.A.           Tel : 00 32 (0)87/342467

samba-bounces at lists.samba.org wrote on 05/02/2014 11:49:31:

> De : steve <steve at steve-ss.com>
> A : samba at lists.samba.org, 
> Date : 05/02/2014 11:50
> Objet : Re: [Samba] Creating samba4/AD users from ADUC
> Envoyé par : samba-bounces at lists.samba.org
> 
> On Tue, 2014-02-04 at 11:40 -0500, Michael Brown wrote:
> > We have a couple Samba4 AD domains we've implemented and I've noticed 
a
> > difference between how users look when created via ADUC versus 
samba-tool.
> > 
> > Created via ADUC, the following extra attributes are added:
> > msSFU30Name: bilbo
> > msSFU30NisDomain: netdirect
> > unixHomeDirectory: /home/bilbo
> > unixUserPassword: ABCD!efgh12345$67890
> > 
> > Created via samba-tool, the following extra attributes are added:
> > objectClass: posixAccount
> > uid: bilbo
> > 
> 
> Different;)
> 
> > (hey, why can't I tell samba-tool to give the user a unixHomeDirectory 
:( )
> Patches needed:
> https://db.tt/mDPVdg3G
> https://db.tt/YTKcaiPd
> Backup and overwrite:
> cp samdb.py /usr/local/samba/lib64/python2.7/site-packages/samba
> cp user.py /usr/local/samba/lib64/python2.7/site-packages/samba/netcmd
> > 
> > In my ldap.conf, I'm using:
> > nss_map_attribute uid sAMAccountName
> > nss_map_attribute uniqueMember member
> > nss_map_attribute homeDirectory unixHomeDirectory
> > nss_map_attribute gecos displayName
> > pam_login_attribute sAMAccountName
> > pam_filter objectclass=posixAccount
> > pam_password ad
> > 
> You'll also need to add:
> uidNumber
> and
> gidNumber
> to User DN's if you already haven't.
> 
> There's a slick replacement for nss-ldap: nss-ldapd and specifically for
> Unix in AD, sssd and winbind.
> 
> > What are people doing for maintaining their Unix accounts in AD? 
Should
> > all the unix accounts also have oc posixAccount?
> > 
> No. It should not be visible in the user DN.
> 
> > Also, looks like samba-tool isn't adding the msSFU30NisDomain - this
> > makes the Unix attributes not enabled in ADUC. It should probably add
> > that, yes?
> > 
> 
> Unfortunately Samba4 does not behave as a m$ server as far as Unix
> clients are concerned. Fortunately, it doesn't need to since all the
> attributes we need can be added directly via samba-tool, apart from
> unixHomeDirectory as above. If you wish to use ADUC then there are some
> schema mods to make. I'm sure Rowland will chip in with those should you
> decide to go ahead.
> 
> Conclusion: Unix against a Samba4 DC needs workarounds. All really
> simple if you know what you're doing though.
> Cheers and HTH,
> Steve
> 
> 
> > M.
> > 
> > -- 
> > Michael Brown               | `One of the main causes of the fall of
> > Systems Consultant          | the Roman Empire was that, lacking zero,
> > Net Direct Inc.             | they had no way to indicate successful
> > ☎: +1 519 883 1172 x5106    | termination of their C programs.' - 
Firth
> > 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list