[Samba] How can I have new users/groups to include posixAccount/posixGroup schema automatically?
Adam Tauno Williams
awilliam at whitemice.org
Thu Apr 9 13:08:46 MDT 2015
> > samba-tool
> Doesn't work, as evidently demonstrated recently in the list.
"Doesn't work" is a serious overstatement.
> > or write your own scripts.
> The problem with any homemade script is that it isn't portable, and only go as
> far, as the script writer's understanding of the things at hand.
> My personal understanding of the AD schema is very limited. I could throw
> something together, but in reality, I'd rather not do anything like that
> myself
> All that being said, I see the situation as very disturbing. The lack of the
> very basic, essential tools to manage user/group creation... I'm speechless.
I do not understand why; your configuration is not standard - so the
configuration required some wrenching. You had scripts and glue all
over the place with a Samba3+LDAP configuration; I know, I came from
one.
Active Directory is LDAP, and no more baffling than OpenLDAP + custom
schema.
Creating an AD user via LDAP is pretty easy.
AD_USER_ROOT_DN = 'OU=Users,dc=Example,dc=Com'
AD_UAC_MASK_SCRIPT = 1
AD_UAC_MASK_ACCOUNTDISABLE = 2
AD_UAC_MASK_HOMEDIR_REQUIRED = 8
AD_UAC_MASK_PASSWD_NOTREQD = 32
AD_UAC_MASK_NORMAL_ACCOUNT = 512
AD_UAC_MASK_DONT_EXPIRE_PASSWORD = 65536
AD_UAC_MASK_TRUSTED_FOR_DELEGATION = 524288
AD_UAC_MASK_PASSWORD_EXPIRED = 8388608
...
pdc = ldap.initialize(uri)
pdc.set_option(ldap.OPT_REFERRALS, 0)
pdc.sasl_interactive_bind_s("", ldap.sasl.gssapi())
# The dn of our new entry/object
dn = 'cn={0},{1}'.format(uid, AD_USER_ROOT_DN, )
attrs = {
'objectclass':
['top',
'person',
'organizationalPerson',
'user',
'posixAccount', ],
'cn': uid,
'sAMAccountname': uid,
'msSFU30Name': uid,
'userPassword': str(password),
'givenName': givenName',
'sn': sn,
'displayName': displayName,
'uidNumber': uidNumber,
'gidNumber': gidNumber',
'unixHomeDirectory': homeDirectory,
'pwdLastSet': '0',
'loginShell': '/bin/bash',
'pwdLastSet': '-1',
'userPrincipalName': '{0}@example.com'.format(uid, ),
'lockoutTime': '0',
'msSFU30NisDomain': 'backbone',
'homeDirectory': '\\\\FILESERVER\\homedir',
'homeDrive': 'F:',
'profilePath': '\\\\FILESERVER\\profiles\\{0}'.format(uid, ),
}
attrs['userAccountControl'] = \
str(
AD_UAC_MASK_NORMAL_ACCOUNT +
AD_UAC_MASK_ACCOUNTDISABLE +
AD_UAC_MASK_DONT_EXPIRE_PASSWORD
)
ldif = modlist.addModlist(attrs)
pdc.add_s(dn, ldif)
--
Adam Tauno Williams <mailto:awilliam at whitemice.org> GPG D95ED383
Systems Administrator, Python Developer, LPI / NCLA
More information about the samba
mailing list