[Samba] samba-tool create user

Rowland Penny rpenny at samba.org
Thu Apr 20 07:21:48 UTC 2017

On Wed, 19 Apr 2017 16:06:52 -0700
Mark Nienberg via samba <samba at lists.samba.org> wrote:

> I'm working on a shell script to create new users on a AD DC.
> Currently we use ADUC, but that is slow and error-prone. My
> (untested) command looks like this:
> samba-tool user create $USERNAME $PASSWORD \
> --nis-domain=sta \
> --unix-home=/home/${USERNAME} \
> --uid-number=${NEXTID} \
> --login-shell=/sbin/nologin \
> --gid-number=513 \
> --use-username-as-cn \
> --home-drive=Z \
> --home-directory=\\\\gecko\\${USERNAME} \
> --profile-path=\\\\gecko\\profiles\\${USERNAME} \
> --userou='OU=users,OU=tipping'
> I'm not sure I am using the "--userou" correctly. We store our active
> users in a separate users OU within one named for our domain, so if I
> look at the distinguishedName attribute for a current user in ADUC it
> looks like this:
> CN=adrian,OU=users,OU=tipping,DC=tipping,DC=lan
> The man page says this:
> --userou=USEROU       DN of alternative location (without domainDN
> counterpart) to default CN=Users in which new user object will be
> created. E.g. 'OU=<OU name>'
> If I get it wrong, will the command just fail or will it try to
> create some incorrect OU that I will then have to figure out how to
> clean up? Do you think I guessed correctly?

The 'OU' must exist before you can create users in it, there is nothing
in samba-tool that will create the 'OU', so if the 'OU' is wrong, the
create will fail and yes, you seem to have guessed correctly.

> Also, did I get the (doubled) backslashes right in the windows paths?

Not sure, You may have one too many '\' at the start, try creating a
testuser and then examine the users object with ldbsearch.

> And should the home-drive be 'Z' or 'Z:'?


> I guess a working example would help a lot for the parameters that
> are not in any examples in "samba-tool user create --help". Thanks,

If you are writing your own script, you could always by-pass samba-tool
and use an ldif and add this with ldbmodify.

Finally, are you really using '513' as the gidNumber for Domain Users ?
if so, can I just comment that this is a dumb idea in my opinion ;-)


More information about the samba mailing list