[Samba] Creating samba4/AD users from ADUC

Rowland Penny rowlandpenny at googlemail.com
Wed Feb 5 09:08:23 MST 2014

On 05/02/14 15:57, Michael Brown wrote:
> On 14-02-05 05:49 AM, steve wrote:
>> Patches needed:
>> https://db.tt/mDPVdg3G
>> https://db.tt/YTKcaiPd
>> Backup and overwrite:
>> cp samdb.py /usr/local/samba/lib64/python2.7/site-packages/samba
>> cp user.py /usr/local/samba/lib64/python2.7/site-packages/samba/netcmd
> Those aren't patches - how do I know they're applicable to my samba
> version? (sernet-samba-ad-4.1.4-7.el6.x86_64)
>>> In my ldap.conf, I'm using:
>>> nss_map_attribute uid sAMAccountName
>>> nss_map_attribute uniqueMember member
>>> nss_map_attribute homeDirectory unixHomeDirectory
>>> nss_map_attribute gecos displayName
>>> pam_login_attribute sAMAccountName
>>> pam_filter objectclass=posixAccount
>>> pam_password ad
>> You'll also need to add:
>> uidNumber
>> and
>> gidNumber
>> to User DN's if you already haven't.
>> There's a slick replacement for nss-ldap: nss-ldapd and specifically for
>> Unix in AD, sssd and winbind.
> Right. I'll get to work on trying to stitch that onto this SLES10 box
> right away… nope. :)
> Actually I found what seem to be the proper settings. I think I got the
> other ones off the wiki.
> # RFC 2307 (AD) mappings
> #nss_map_objectclass posixAccount user
> #nss_map_objectclass shadowAccount user
> #nss_map_attribute uid sAMAccountName
> #nss_map_attribute homeDirectory unixHomeDirectory
> #nss_map_attribute shadowLastChange pwdLastSet
> #nss_map_objectclass posixGroup group
> #nss_map_attribute uniqueMember member
> #pam_login_attribute sAMAccountName
> #pam_filter objectclass=User
> #pam_password ad
>> No. It should not be visible in the user DN.
> Why not? Other than for consistency's sake, it won't cause problems.
>>> Also, looks like samba-tool isn't adding the msSFU30NisDomain - this
>>> makes the Unix attributes not enabled in ADUC. It should probably add
>>> that, yes?
>>> Unfortunately Samba4 does not behave as a m$ server as far as Unix
>>> clients are concerned.
> Samba4 is behaving just like an MS server in this case.
Not entirely, as Steve said, if you use samba-tool to create a user and 
add all the RFC2307 attributes, you do not get the 'msSFU30NisDomain' 
attribute, also the 'msSFU30MaxUidNumber' & 'msSFU30MaxGidNumber' 
attributes are totally missing from AD.

>>> Fortunately, it doesn't need to since all the
>>> attributes we need can be added directly via samba-tool, apart from
>>> unixHomeDirectory as above. If you wish to use ADUC then there are some
>>> schema mods to make. I'm sure Rowland will chip in with those should you
>>> decide to go ahead.
> Those schema mods are already in place, since I can actually use the tool.

Not all of SFU is in ypServ30.ldif


>>> Conclusion: Unix against a Samba4 DC needs workarounds. All really
>>> simple if you know what you're doing though.
> You can generalize that to 'samba4 needs workarounds'.
> M.

More information about the samba mailing list