[Samba] Creating samba4/AD users from ADUC
steve
steve at steve-ss.com
Thu Feb 6 02:45:15 MST 2014
On Wed, 2014-02-05 at 11:45 -0500, Michael Brown wrote:
> On 14-02-05 11:08 AM, Rowland Penny wrote:
> >> Samba4 is behaving just like an MS server in this case.
> > Not entirely, as Steve said, if you use samba-tool to create a user
> > and add all the RFC2307 attributes, you do not get the
> > 'msSFU30NisDomain' attribute,
> That's a failing of samba-tool, not samba behaving differently than a
> Windows server. When attempting to create the user in the same way
> against a W2K8 server I end up with the same result. For reference:
>
> michael at sles-main:~> samba-tool user create -H ldap://ad1 -k yes
> --random-password --uid=bilbo --uid-number=10000 --gid-number=4000
> --surname=Baggins --given-name=Bilbo --login-shell=/bin/bash bilbo
> You are setting a Unix/RFC2307 UID or GID. You may want to set
> 'idmap_ldb:use rfc2307 = Yes' to use those attributes for XID/SID-mapping.
> ERROR(ldb): Failed to add user 'bilbo': - LDAP error 53
> LDAP_UNWILLING_TO_PERFORM - <0000001F: SvcErr: DSID-031A120C, problem
> 5003 (WILL_NOT_PERFORM), data 0
> > <>
>
> That error is because it didn't like the password. But the user is still
> added:
>
> michael at sles-main:~> ldbsearch -H ldap://ad1 -k yes uid=bilbo
> # record 1
> dn: CN=Bilbo Baggins,CN=Users,DC=main,DC=adlab,DC=netdirect,DC=ca
> objectClass: top
> objectClass: posixAccount
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: Bilbo Baggins
> sn: Baggins
> givenName: Bilbo
> distinguishedName: CN=Bilbo
> Baggins,CN=Users,DC=main,DC=adlab,DC=netdirect,DC=ca
> instanceType: 4
> whenCreated: 20140205161737.0Z
> whenChanged: 20140205161737.0Z
> displayName: Bilbo Baggins
> uSNCreated: 370503
> uSNChanged: 370505
> name: Bilbo Baggins
> objectGUID: 78422517-6728-4731-8c3a-5171c3520fa7
> userAccountControl: 546
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> pwdLastSet: 0
> primaryGroupID: 513
> objectSid: S-1-5-21-2056100228-567660776-4045699350-1111
> accountExpires: 9223372036854775807
> logonCount: 0
> sAMAccountName: bilbo
> sAMAccountType: 805306368
> userPrincipalName: bilbo at main.adlab.netdirect.ca
> objectCategory:
> CN=Person,CN=Schema,CN=Configuration,DC=main,DC=adlab,DC=netdi
> rect,DC=ca
> dSCorePropagationData: 16010101000000.0Z
> uid: bilbo
> uidNumber: 10000
> gidNumber: 4000
> loginShell: /bin/bash
>
This is NOT what you get in an all m$ domain.
HTH
Steve
More information about the samba
mailing list