[Samba] Creating samba4/AD users from ADUC

Wed Feb 5 10:09:17 MST 2014

On 05/02/14 16:45, Michael Brown wrote:
> On 14-02-05 11:08 AM, Rowland Penny wrote:
>>> Samba4 is behaving just like an MS server in this case.
>> Not entirely, as Steve said, if you use samba-tool to create a user
>> and add all the RFC2307 attributes, you do not get the
>> 'msSFU30NisDomain' attribute,
> That's a failing of samba-tool, not samba behaving differently than a
> Windows server. When attempting to create the user in the same way
> against a W2K8 server I end up with the same result. For reference:
>
> michael at sles-main:~> samba-tool user create -H ldap://ad1 -k yes
> --random-password --uid=bilbo --uid-number=10000 --gid-number=4000
> --surname=Baggins --given-name=Bilbo --login-shell=/bin/bash bilbo
> You are setting a Unix/RFC2307 UID or GID. You may want to set
> 'idmap_ldb:use rfc2307 = Yes' to use those attributes for XID/SID-mapping.
> ERROR(ldb): Failed to add user 'bilbo':  - LDAP error 53
> LDAP_UNWILLING_TO_PERFORM -  <0000001F: SvcErr: DSID-031A120C, problem
> 5003 (WILL_NOT_PERFORM), data 0
>> <>
> That error is because it didn't like the password. But the user is still
> added:
>
> michael at sles-main:~> ldbsearch -H ldap://ad1 -k yes uid=bilbo
> # record 1
> dn: CN=Bilbo Baggins,CN=Users,DC=main,DC=adlab,DC=netdirect,DC=ca
> objectClass: top
> objectClass: posixAccount
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: Bilbo Baggins
> sn: Baggins
> givenName: Bilbo
> distinguishedName: CN=Bilbo
> Baggins,CN=Users,DC=main,DC=adlab,DC=netdirect,DC=ca
> instanceType: 4
> whenCreated: 20140205161737.0Z
> whenChanged: 20140205161737.0Z
> displayName: Bilbo Baggins
> uSNCreated: 370503
> uSNChanged: 370505
> name: Bilbo Baggins
> objectGUID: 78422517-6728-4731-8c3a-5171c3520fa7
> userAccountControl: 546
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> pwdLastSet: 0
> primaryGroupID: 513
> objectSid: S-1-5-21-2056100228-567660776-4045699350-1111
> accountExpires: 9223372036854775807
> logonCount: 0
> sAMAccountName: bilbo
> sAMAccountType: 805306368
> userPrincipalName: bilbo at main.adlab.netdirect.ca
> objectCategory:
> CN=Person,CN=Schema,CN=Configuration,DC=main,DC=adlab,DC=netdi
>   rect,DC=ca
> dSCorePropagationData: 16010101000000.0Z
> uid: bilbo
> uidNumber: 10000
> gidNumber: 4000
> loginShell: /bin/bash
>

If you had created this user through ADUC, you would also have got the 
'msSFU30NisDomain', 'msSFU30Name' and 'unixHomeDirectory' attributes, 
you also would not have got the 'posixAccount' objectClass.

>> also the 'msSFU30MaxUidNumber' & 'msSFU30MaxGidNumber' attributes are
>> totally missing from AD.
> dn:
> CN=netdirect,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=ad,DC=netdirect,DC=ca
> msSFU30MaxUidNumber: 10002
>
> I'm missing MaxGidNumber, possibly since I haven't created any groups
> from ADUC.
>
> On that note… *creates unix group in ADUC*
>
> dn:
> CN=netdirect,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=ad,DC=netdirect,DC=ca
> msSFU30MaxGidNumber: 10001
>
> Looks like they default to 10000 and get updated as it goes.

If you check a newly provisioned samba4 DC, the MaxUidNumber and 
MaxGidNumber attributes are not present, but when you add a user or 
group, they are added and yes on windows they default to 10000.

>
>> Not all of SFU is in ypServ30.ldif
> OK… what's missing? ADUC isn't complaining.
There is a quite bit missing, too much to post here, but as you say, 
samba4 seems to work without it ;-)

As an aside, that Bilbo Bagins gets about a bit, doesn't he LOL

Rowland

>
> M.
>