[Samba] Creating samba4/AD users from ADUC

Michael Brown michael at netdirect.ca
Wed Feb 5 09:45:55 MST 2014

On 14-02-05 11:08 AM, Rowland Penny wrote:
>> Samba4 is behaving just like an MS server in this case.
> Not entirely, as Steve said, if you use samba-tool to create a user
> and add all the RFC2307 attributes, you do not get the
> 'msSFU30NisDomain' attribute, 
That's a failing of samba-tool, not samba behaving differently than a
Windows server. When attempting to create the user in the same way
against a W2K8 server I end up with the same result. For reference:

michael at sles-main:~> samba-tool user create -H ldap://ad1 -k yes
--random-password --uid=bilbo --uid-number=10000 --gid-number=4000
--surname=Baggins --given-name=Bilbo --login-shell=/bin/bash bilbo
You are setting a Unix/RFC2307 UID or GID. You may want to set
'idmap_ldb:use rfc2307 = Yes' to use those attributes for XID/SID-mapping.
ERROR(ldb): Failed to add user 'bilbo':  - LDAP error 53
LDAP_UNWILLING_TO_PERFORM -  <0000001F: SvcErr: DSID-031A120C, problem
5003 (WILL_NOT_PERFORM), data 0
> <>

That error is because it didn't like the password. But the user is still

michael at sles-main:~> ldbsearch -H ldap://ad1 -k yes uid=bilbo
# record 1
dn: CN=Bilbo Baggins,CN=Users,DC=main,DC=adlab,DC=netdirect,DC=ca
objectClass: top
objectClass: posixAccount
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Bilbo Baggins
sn: Baggins
givenName: Bilbo
distinguishedName: CN=Bilbo
instanceType: 4
whenCreated: 20140205161737.0Z
whenChanged: 20140205161737.0Z
displayName: Bilbo Baggins
uSNCreated: 370503
uSNChanged: 370505
name: Bilbo Baggins
objectGUID: 78422517-6728-4731-8c3a-5171c3520fa7
userAccountControl: 546
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 0
primaryGroupID: 513
objectSid: S-1-5-21-2056100228-567660776-4045699350-1111
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: bilbo
sAMAccountType: 805306368
userPrincipalName: bilbo at main.adlab.netdirect.ca
dSCorePropagationData: 16010101000000.0Z
uid: bilbo
uidNumber: 10000
gidNumber: 4000
loginShell: /bin/bash

> also the 'msSFU30MaxUidNumber' & 'msSFU30MaxGidNumber' attributes are
> totally missing from AD.
msSFU30MaxUidNumber: 10002

I'm missing MaxGidNumber, possibly since I haven't created any groups
from ADUC.

On that note… *creates unix group in ADUC*

msSFU30MaxGidNumber: 10001

Looks like they default to 10000 and get updated as it goes.

> Not all of SFU is in ypServ30.ldif
OK… what's missing? ADUC isn't complaining.


Michael Brown               | `One of the main causes of the fall of
Systems Consultant          | the Roman Empire was that, lacking zero,
Net Direct Inc.             | they had no way to indicate successful
☎: +1 519 883 1172 x5106    | termination of their C programs.' - Firth

More information about the samba mailing list