[Samba] Missing option in samba-tool user add

Rowland Penny rowlandpenny at googlemail.com
Tue Jan 21 12:46:36 MST 2014

On 21/01/14 18:52, Chan Min Wai wrote:
> Hi Rowland,
> That really depend on how system get the user information.
> Adding posixAccount objectclass denote that the use have access to
> linux/unix
> if using nslcd (nss-pam-ldapd) for example if we apply filter
> filter passwd
> (&(objectClass=posixAccount)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
This should be (&(objectClass=user)(uidNumber=*)(unixHomeDirectory=*) if 
connecting to an AD server

> This will make it so that only users with posixAccount objectclass are only
> consider a linux users on the system.
> You can also do this by creating an extra OU and put it in filter.
> But still it would be meaningless if the users in this OU is without
> uidNumber or unixHomeDirectory.
> so Objectclass posixAccount force it to MUST have the following attribute.
> "cn", "uid", "uidNumber", "gidNumber", "homeDirectory"

ER, in AD posixAccount does not actually force the adding of any 
attributes, in fact if you wanted to, you could add it without any of 
the attributes at all.
See MS-AD_Schema_2K8_Classes.txt, where you will find:


mayContain: uid, cn, uidNumber, gidNumber, 
unixHomeDirectory,homeDirectory, userPassword, unixUserPassword, 
loginShell, gecos,description

> which make it an linux user :)
> Still if you are using winbind and let all users to have access to linux,
> that also can be done without posixAccount.
> But the main question is if windows RAT user tools will add it.

No question at all, they will not.

> If it is added by the users and computer management tools than there is no
> harm to add it in since it is already there.
> As long as all platform supported by winbind/nslcd which don't required
> this objectclass...
> Else we will need to add it as a backwards compatibility things.

Again you are missing the point, AD is not LDAP and anything that 
connects to samba4 should do this in the same way that it would to a 
windows AD server, you never know, it might actually be a windows AD 
server or the info was added by ADUC or similar.

> Thank You
> On Tue, Jan 21, 2014 at 4:57 PM, Rene van Schijndel <rvs at prisma-spo.nl>wrote:
>> Thank again Roland.
>> You modifactions work fine.
>>> Op 20 januari 2014 om 14:21 schreef Rowland Penny
>>> <rowlandpenny at googlemail.com>:
>>> On 15/01/14 11:45, Rene van Schijndel wrote:
>>>> Hi Steve,
>>>> Thanks for you reply.
>>>> Where can i find the updates i don't see them.
>>>> I am new to this list so maybe i do something wrong.
>>>> Rene.
>>>>> Op 15 januari 2014 om 12:27 schreef steve <steve at steve-ss.com>:
>>>>> On Wed, 2014-01-15 at 11:16 +0100, Rene van Schijndel wrote:
>>>>>> Hello,
>>>>>> I am trying to create a user with the samba-tool.
>>>>>> With this user i a want to login in a windows system and linux shell.
>>>>>> I can set everthing i need with samba-tool user add except
>>>>>> unixHomeDirectory
>>>>>> path.
>>>>>> Is there an easy why to do this?
>>>>>> Rene.
>>>>> Hi
>>>>> Here are the updates to get unixHomeDirectory (**) working as
>> expected.
>>>>> HTH
>>>>> Steve
>>>>> No thanks to me btw. Rowland tipped me off;)
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>> OK, I altered the two files that I sent you myself, but did not know how
>>> to submit them to samba for inclusion. A few months later another user,
>>> Stéphane Purnelle, then came up with something similar, but he also
>>> altered group.py to give the option to add the gidNumber.
>>> I, at that time, objected to his updates because the update added the
>>> posixAccount & posixGroup objectClasses, these, in my opinion, should
>>> not be added because no windows tools will add them. The reason that
>>> windows never adds the posix objectclasses is because they are
>>> auxillaries of other objectclasses that windows does add, in case you do
>>> not fully understand this, it means that all the posix attributes get
>>> added to the windows objectclasses and are available for use without
>>> actually adding the posix objectClasses.
>>> This all started about 3 months ago and I do not know why nothing has
>>> yet made its way into samba 4.
>>> I have attached 3 new files, two are updates to the files that I have
>>> already sent, they have all been updated to also include Stephane's
>>> updates but without adding posix objectClasses, test them at your own
>> risk.
>>> Rowland
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list