[Samba] samba member logon.. question.

Andrey Repin anrdaemon at yandex.ru
Thu Apr 9 10:09:39 MDT 2015 

Greetings, Rowland Penny!

>>> You are using python, which to me is a very big snake, so I bash it :-D
>>> I just use these two functions in a bash script:
>>> # Finds the next useable user uidNumber or group gidNumber
>>> # Input : $1
>>> # $1 : msSFU30MaxUidNumber or msSFU30MaxGidNumber
>>> # Output : the first free uidNumber or gidNumber
>>> _findnext () {
>>>     ATTR="$1"
>>>     if [ -z "${ATTR}" ]; then
>>>         error "No Attribute supplied"
>>>         error "Cannot continue... Exiting."
>>>         exit 1
>>>     fi
>>>     _NEXTID=$(ldbsearch -H ${LDBDB} -b
>>> "CN=${domainNETBios},CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,${domainDN}"
>>> -s sub '(objectClass=msSFU30DomainInfo)' ${ATTR} | grep "${ATTR}: " |
>>> awk '{print $NF}')
>>>     if [ -z "$_NEXTID" ] || [ "$_NEXTID" -lt "10000" ]; then
>>>         _NEXTID="10000"
>>>     fi
>>> }
>>> # UPDATE msSFU30MaxUidNumber/msSFU30MaxGidNumber
>>> # Input : $1 $2
>>> # $1: what to update (msSFU30MaxUidNumber or msSFU30MaxGidNumber)
>>> # $2: Next Number
>>> #
>>> # Output : Nothing
>>> _updatemax () {
>>>     ATTR="$1"
>>>     IDNUM="$2"
>>>     if [ -z "${ATTR}" ] || [ -z "${IDNUM}" ]; then
>>>         error "Incomplete data supplied."
>>>         error "Cannot continue... Exiting."
>>>         exit 1
>>>     fi
>>>     echo "Updating ${ATTR}"
>>>     IDLDIF="dn:
>>> CN=${domainNETBios},CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,${domainDN}
>>> changetype: modify
>>> replace: ${ATTR}
>>> ${ATTR}: ${IDNUM}"
>>>     echo "${IDLDIF}" | ldbmodify -H ${LDBDB}
>>>     if [ $? != 0 ]; then
>>>         error "Error updating ${ATTR} in AD."
>>>         echo "${LDIF}" > /tmp/update.ldif
>>>         exit 1 # exits here if error
>>>     fi
>>>     unset IDLDIF
>>>     echo "Successfully updated ${ATTR} in AD"
>>> }
>> That will only work on a domain controller.

> Well yes it will only work on a DC because that is where the AD records 
> are stored, but it can be run from another Linux machine.

>> I don't want to touch it at all,
>> if I don't need to blow it apart.

> Well, seeing as it is only doing what ADUC does, I do not see it blowing 
> up your AD DC.

>> Not to mention, it will not add "objectClass: posixAccount" to the user,

> How many times do I have to say this:

> DO NOT ADD POSIX OBJECTCLASSES TO AD, THEY ARE NOT REQUIRED. ADUC WILL 
> NEVER ADD THEM.

They are not required for AD, but they are required for other tools, that work
off AD LDAP.
Don't scream like that, you may startle someone.

>> causing all sort of grief in a long run.
> WHY ??

Because my auth tools, for instance, expect posixAccount class and check for
it before processing further with authentication.


-- 
With best regards,
Andrey Repin
Thursday, April 9, 2015 19:06:39

Sorry for my terrible english...

More information about the samba mailing list