[Samba] UNIX attribute UID no longer increments with RSAT

Wed Aug 10 15:53:52 UTC 2016

On 8/8/2016 9:32 AM, Rowland Penny wrote:
> On Mon, 8 Aug 2016 08:52:39 -0400
> "lingpanda101 at gmail.com" <lingpanda101 at gmail.com> wrote:
>
>> Hello,
>>
>>       I'm using rfc2307 to enable Unix attributes on my DC's. Recently
>> when adding a user and attempting to add a UID with the RSAT, I
>> receiving the following error.
>>
>> 'Duplicate UID. Assign a uniqueUID.'
>>
>> How do I list all users and their UID? I tried using 'pdbedit' and
>> wbinfo. Pdbedit appears to list the XID's and wbinfo needs me to
>> specify a user name. I need to confirm all users have a unique UID
>> before moving forward to troubleshoot this issue. Thanks.
>>
> What version of windows is this ?
>
> When you used to add a uidNumber with the UNIX Attributes tab, the last
> uid used was stored in an attribute in AD, this attribute was created
> if it didn't exist, has windows stopped doing this ?
>
> The attribute in question is 'msSFU30MaxUidNumber' (there is another
> one for groups 'msSFU30MaxGidNumber') and this is stored in the AD
> object to be found at:
> CN=<Your
> lowercase
> NETBios
> domain
> name>,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=your,DC=dns,DC=domain
>
> Rowland
>
>

I'll update my findings.

  * Create a new security group in ADUC
  * Within ADUC right click the OU or domain to delegate permissions
  * Click Delegate Control
  * Add the new security group created.
  * Delegate the following tasks
      o Create, delete and manage user accounts
      o Reset user passwords and force password change at next logon
      o Read all user information

 From what I gather on the net, this does not give the above security 
group permission to update the Unix attributes within ADUC.  This 
appears to be confirmed by the error prompts when attempted.  Maybe I am 
incorrect and this should give the security group permission and the 
error prompts are just bugs.

-- 
-James