[Samba] How can I have new users/groups to include posixAccount/posixGroup schema automatically?

Thu Apr 9 13:08:46 MDT 2015

> > samba-tool
> Doesn't work, as evidently demonstrated recently in the list.

"Doesn't work" is a serious overstatement.

> > or write your own scripts.
> The problem with any homemade script is that it isn't portable, and only go as
> far, as the script writer's understanding of the things at hand.
> My personal understanding of the AD schema is very limited. I could throw
> something together, but in reality, I'd rather not do anything like that
> myself
> All that being said, I see the situation as very disturbing. The lack of the
> very basic, essential tools to manage user/group creation... I'm speechless.

I do not understand why;  your configuration is not standard - so the
configuration required some wrenching.  You had scripts and glue all
over the place with a Samba3+LDAP configuration;  I know, I came from
one.

Active Directory is LDAP, and no more baffling than OpenLDAP + custom
schema.

Creating an AD user via LDAP is pretty easy.

AD_USER_ROOT_DN = 'OU=Users,dc=Example,dc=Com'
AD_UAC_MASK_SCRIPT = 1
AD_UAC_MASK_ACCOUNTDISABLE = 2
AD_UAC_MASK_HOMEDIR_REQUIRED = 8
AD_UAC_MASK_PASSWD_NOTREQD = 32
AD_UAC_MASK_NORMAL_ACCOUNT = 512
AD_UAC_MASK_DONT_EXPIRE_PASSWORD = 65536
AD_UAC_MASK_TRUSTED_FOR_DELEGATION = 524288
AD_UAC_MASK_PASSWORD_EXPIRED = 8388608

...

    pdc = ldap.initialize(uri)
    pdc.set_option(ldap.OPT_REFERRALS, 0)
    pdc.sasl_interactive_bind_s("", ldap.sasl.gssapi())

    # The dn of our new entry/object
    dn = 'cn={0},{1}'.format(uid, AD_USER_ROOT_DN, )

    attrs = {
        'objectclass':
            ['top',
             'person',
             'organizationalPerson',
             'user',
             'posixAccount', ],
        'cn': uid,
        'sAMAccountname': uid,
        'msSFU30Name': uid,
        'userPassword': str(password),
        'givenName': givenName',
        'sn': sn,
        'displayName': displayName,
        'uidNumber': uidNumber,
        'gidNumber': gidNumber',
        'unixHomeDirectory': homeDirectory,
        'pwdLastSet': '0',
        'loginShell': '/bin/bash',
        'pwdLastSet': '-1',
        'userPrincipalName': '{0}@example.com'.format(uid, ),
        'lockoutTime': '0',
        'msSFU30NisDomain': 'backbone',
        'homeDirectory': '\\\\FILESERVER\\homedir',
        'homeDrive': 'F:',
        'profilePath': '\\\\FILESERVER\\profiles\\{0}'.format(uid, ),
    }

    attrs['userAccountControl'] = \
        str(
            AD_UAC_MASK_NORMAL_ACCOUNT +
            AD_UAC_MASK_ACCOUNTDISABLE +
            AD_UAC_MASK_DONT_EXPIRE_PASSWORD
        )

    ldif = modlist.addModlist(attrs)
    pdc.add_s(dn, ldif)

-- 
Adam Tauno Williams <mailto:awilliam at whitemice.org> GPG D95ED383
Systems Administrator, Python Developer, LPI / NCLA