[Samba] How can I have new users/groups to include posixAccount/posixGroup schema automatically?

Rowland Penny rowlandpenny at googlemail.com
Thu Apr 9 10:39:12 MDT 2015

On 09/04/15 17:17, Andrey Repin wrote:
> Greetings, Rowland Penny!
>>> I've added a few domain users/groups for test, but they don't have ?idNumber,
>>> even though the relevant schema is loaded?
>>> How can I tell it to include relevant schema for all newly created
>>> users/groups?
>> Well, you could try walking up to the DC and giving it a good talking to
>> :-D
>> But seriously, your choices are a bit limited, you can use ADUC on a
>> windows machine, this involves creating a user and then adding the
>> required attributes with the UNIX attributes tab. You could create your
>> users with samba-tool, but you will need the latest samba 4 to get all
>> the required attributes and you will still have to keep a record of the
>> uidNumbers & gidNumbers you have used, samba-tool will not do this.
>> Other than this, you can write your own scripts in your favourite
>> computer language.
> That's kind of not what I would expect from Linux system.
> smbldap-tools were crude, but an order of magnitude more effective, as they
> allowed me to have working installation for years without an issue other, than
> inability to correctly join only Win7 machine I had in the network.
> I have ~50 users in the domain, of them, 10 are Linux systems and 6 Windows,
> 25 are users that accessing Linux systems directly in one or another way, so
> they do need correct uidNumber at all times, and 8 that only access Linux file
> server through Samba share. While not necessary, I would still like to see
> their SID's resolved to uid properly, when viewing the share from Linux side.
> The last account? That is me. It have uid=1000 and is basically duplicated on
> all Linux systems already.

well tough, the smbldap-tools were written to do a job, map windows 
users to unix users and vice versa. So what you need now is something to 
do the same, except you don't have separate Unix users any more, just 
users in AD who can also be Unix users.

If you want your Unix users to have the same IDs everywhere, you need to 
use the RFC2307 attributes, at the moment, how the attributes get into 
AD is up to you, use ADUC, samba-tool or write your own scripts.


More information about the samba mailing list