[Samba] Creating samba4/AD users from ADUC

Michael Brown michael at netdirect.ca
Wed Feb 5 08:57:08 MST 2014 

On 14-02-05 05:49 AM, steve wrote:
> Patches needed:
> https://db.tt/mDPVdg3G
> https://db.tt/YTKcaiPd
> Backup and overwrite:
> cp samdb.py /usr/local/samba/lib64/python2.7/site-packages/samba
> cp user.py /usr/local/samba/lib64/python2.7/site-packages/samba/netcmd
Those aren't patches - how do I know they're applicable to my samba
version? (sernet-samba-ad-4.1.4-7.el6.x86_64)
>> In my ldap.conf, I'm using:
>> nss_map_attribute uid sAMAccountName
>> nss_map_attribute uniqueMember member
>> nss_map_attribute homeDirectory unixHomeDirectory
>> nss_map_attribute gecos displayName
>> pam_login_attribute sAMAccountName
>> pam_filter objectclass=posixAccount
>> pam_password ad
>>
> You'll also need to add:
> uidNumber
> and
> gidNumber
> to User DN's if you already haven't.
>
> There's a slick replacement for nss-ldap: nss-ldapd and specifically for
> Unix in AD, sssd and winbind.
Right. I'll get to work on trying to stitch that onto this SLES10 box
right away… nope. :)

Actually I found what seem to be the proper settings. I think I got the
other ones off the wiki.

# RFC 2307 (AD) mappings
#nss_map_objectclass posixAccount user
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid sAMAccountName
#nss_map_attribute homeDirectory unixHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup group
#nss_map_attribute uniqueMember member
#pam_login_attribute sAMAccountName
#pam_filter objectclass=User
#pam_password ad

> No. It should not be visible in the user DN.
Why not? Other than for consistency's sake, it won't cause problems.
>> Also, looks like samba-tool isn't adding the msSFU30NisDomain - this
>> makes the Unix attributes not enabled in ADUC. It should probably add
>> that, yes?

>> Unfortunately Samba4 does not behave as a m$ server as far as Unix
>> clients are concerned.
Samba4 is behaving just like an MS server in this case.
>> Fortunately, it doesn't need to since all the
>> attributes we need can be added directly via samba-tool, apart from
>> unixHomeDirectory as above. If you wish to use ADUC then there are some
>> schema mods to make. I'm sure Rowland will chip in with those should you
>> decide to go ahead.
Those schema mods are already in place, since I can actually use the tool.
>> Conclusion: Unix against a Samba4 DC needs workarounds. All really
>> simple if you know what you're doing though.
You can generalize that to 'samba4 needs workarounds'.

M.

-- 
Michael Brown               | `One of the main causes of the fall of
Systems Consultant          | the Roman Empire was that, lacking zero,
Net Direct Inc.             | they had no way to indicate successful
☎: +1 519 883 1172 x5106    | termination of their C programs.' - Firth

More information about the samba mailing list