[Samba] samba member logon.. question.

Rowland Penny rowlandpenny at googlemail.com
Thu Apr 9 10:31:40 MDT 2015 

On 09/04/15 17:09, Andrey Repin wrote:
> Greetings, Rowland Penny!
>
>>>> You are using python, which to me is a very big snake, so I bash it :-D
>>>> I just use these two functions in a bash script:
>>>> # Finds the next useable user uidNumber or group gidNumber
>>>> # Input : $1
>>>> # $1 : msSFU30MaxUidNumber or msSFU30MaxGidNumber
>>>> # Output : the first free uidNumber or gidNumber
>>>> _findnext () {
>>>>      ATTR="$1"
>>>>      if [ -z "${ATTR}" ]; then
>>>>          error "No Attribute supplied"
>>>>          error "Cannot continue... Exiting."
>>>>          exit 1
>>>>      fi
>>>>      _NEXTID=$(ldbsearch -H ${LDBDB} -b
>>>> "CN=${domainNETBios},CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,${domainDN}"
>>>> -s sub '(objectClass=msSFU30DomainInfo)' ${ATTR} | grep "${ATTR}: " |
>>>> awk '{print $NF}')
>>>>      if [ -z "$_NEXTID" ] || [ "$_NEXTID" -lt "10000" ]; then
>>>>          _NEXTID="10000"
>>>>      fi
>>>> }
>>>> # UPDATE msSFU30MaxUidNumber/msSFU30MaxGidNumber
>>>> # Input : $1 $2
>>>> # $1: what to update (msSFU30MaxUidNumber or msSFU30MaxGidNumber)
>>>> # $2: Next Number
>>>> #
>>>> # Output : Nothing
>>>> _updatemax () {
>>>>      ATTR="$1"
>>>>      IDNUM="$2"
>>>>      if [ -z "${ATTR}" ] || [ -z "${IDNUM}" ]; then
>>>>          error "Incomplete data supplied."
>>>>          error "Cannot continue... Exiting."
>>>>          exit 1
>>>>      fi
>>>>      echo "Updating ${ATTR}"
>>>>      IDLDIF="dn:
>>>> CN=${domainNETBios},CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,${domainDN}
>>>> changetype: modify
>>>> replace: ${ATTR}
>>>> ${ATTR}: ${IDNUM}"
>>>>      echo "${IDLDIF}" | ldbmodify -H ${LDBDB}
>>>>      if [ $? != 0 ]; then
>>>>          error "Error updating ${ATTR} in AD."
>>>>          echo "${LDIF}" > /tmp/update.ldif
>>>>          exit 1 # exits here if error
>>>>      fi
>>>>      unset IDLDIF
>>>>      echo "Successfully updated ${ATTR} in AD"
>>>> }
>>> That will only work on a domain controller.
>> Well yes it will only work on a DC because that is where the AD records
>> are stored, but it can be run from another Linux machine.
>>> I don't want to touch it at all,
>>> if I don't need to blow it apart.
>> Well, seeing as it is only doing what ADUC does, I do not see it blowing
>> up your AD DC.
>>> Not to mention, it will not add "objectClass: posixAccount" to the user,
>> How many times do I have to say this:
>> DO NOT ADD POSIX OBJECTCLASSES TO AD, THEY ARE NOT REQUIRED. ADUC WILL
>> NEVER ADD THEM.
> They are not required for AD, but they are required for other tools, that work
> off AD LDAP.
> Don't scream like that, you may startle someone.

If your tools rely on the posix objectclasses being there, then they are 
broken. The posix objectclasses are auxiliaries of other AD 
objectclasses and as such, no windows tools will add them.

>
>>> causing all sort of grief in a long run.
>> WHY ??
> Because my auth tools, for instance, expect posixAccount class and check for
> it before processing further with authentication.
>

Your auth tools are broken or set up incorrectly.

Rowland

More information about the samba mailing list