[Samba] Creating samba4/AD users from ADUC

Rowland Penny rowlandpenny at googlemail.com
Wed Feb 5 04:46:22 MST 2014 

On 05/02/14 10:53, Stéphane PURNELLE wrote:
> Who write theses patches ?
>
>
> -----------------------------------
> Stéphane PURNELLE                         Admin. Systèmes et Réseaux
> Service Informatique       Corman S.A.           Tel : 00 32 (0)87/342467
>
> samba-bounces at lists.samba.org wrote on 05/02/2014 11:49:31:
>
>> De : steve <steve at steve-ss.com>
>> A : samba at lists.samba.org,
>> Date : 05/02/2014 11:50
>> Objet : Re: [Samba] Creating samba4/AD users from ADUC
>> Envoyé par : samba-bounces at lists.samba.org
>>
>> On Tue, 2014-02-04 at 11:40 -0500, Michael Brown wrote:
>>> We have a couple Samba4 AD domains we've implemented and I've noticed
> a
>>> difference between how users look when created via ADUC versus
> samba-tool.
>>> Created via ADUC, the following extra attributes are added:
>>> msSFU30Name: bilbo
>>> msSFU30NisDomain: netdirect
>>> unixHomeDirectory: /home/bilbo
>>> unixUserPassword: ABCD!efgh12345$67890
>>>
>>> Created via samba-tool, the following extra attributes are added:
>>> objectClass: posixAccount
>>> uid: bilbo
>>>
>> Different;)
>>
>>> (hey, why can't I tell samba-tool to give the user a unixHomeDirectory
> :( )
>> Patches needed:
>> https://db.tt/mDPVdg3G
>> https://db.tt/YTKcaiPd
>> Backup and overwrite:
>> cp samdb.py /usr/local/samba/lib64/python2.7/site-packages/samba
>> cp user.py /usr/local/samba/lib64/python2.7/site-packages/samba/netcmd
>>> In my ldap.conf, I'm using:
>>> nss_map_attribute uid sAMAccountName
>>> nss_map_attribute uniqueMember member
>>> nss_map_attribute homeDirectory unixHomeDirectory
>>> nss_map_attribute gecos displayName
>>> pam_login_attribute sAMAccountName
>>> pam_filter objectclass=posixAccount
>>> pam_password ad
>>>
>> You'll also need to add:
>> uidNumber
>> and
>> gidNumber
>> to User DN's if you already haven't.
>>
>> There's a slick replacement for nss-ldap: nss-ldapd and specifically for
>> Unix in AD, sssd and winbind.
>>
>>> What are people doing for maintaining their Unix accounts in AD?
> Should
>>> all the unix accounts also have oc posixAccount?
>>>
>> No. It should not be visible in the user DN.
>>
>>> Also, looks like samba-tool isn't adding the msSFU30NisDomain - this
>>> makes the Unix attributes not enabled in ADUC. It should probably add
>>> that, yes?
>>>
>> Unfortunately Samba4 does not behave as a m$ server as far as Unix
>> clients are concerned. Fortunately, it doesn't need to since all the
>> attributes we need can be added directly via samba-tool, apart from
>> unixHomeDirectory as above. If you wish to use ADUC then there are some
>> schema mods to make. I'm sure Rowland will chip in with those should you
>> decide to go ahead.
>>
>> Conclusion: Unix against a Samba4 DC needs workarounds. All really
>> simple if you know what you're doing though.
>> Cheers and HTH,
>> Steve
>>
>>
>>> M.
>>>
>>> -- 
>>> Michael Brown               | `One of the main causes of the fall of
>>> Systems Consultant          | the Roman Empire was that, lacking zero,
>>> Net Direct Inc.             | they had no way to indicate successful
>>> ☎: +1 519 883 1172 x5106    | termination of their C programs.' -
> Firth
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
ER, I think that would be me and before you ask, I wrote it before you 
did and before I found out that posixAccount shouldn't be in there.

Rowland

More information about the samba mailing list