[Samba] samba-tool create user

Mark Nienberg mnlists at tippingstructural.com
Thu Apr 20 23:31:13 UTC 2017


I see what you mean about using ldbmodify, but I thought samba-tool was
designed to allow me to administer my samba domain and it will protect me
from messing up the ldb files, like I might with ldbmodify. I realize it
has some shortcomings, but I'm hoping it is improving as time goes on. I am
using ldbmodify only when I can't get the job done with samba-tool.

Thanks very much for your help. I'll move into testing my script next.

On Thu, Apr 20, 2017 at 12:21 AM, Rowland Penny <rpenny at samba.org> wrote:

> On Wed, 19 Apr 2017 16:06:52 -0700
> Mark Nienberg via samba <samba at lists.samba.org> wrote:
>
> > I'm working on a shell script to create new users on a AD DC.
> > Currently we use ADUC, but that is slow and error-prone. My
> > (untested) command looks like this:
> >
> > samba-tool user create $USERNAME $PASSWORD \
> > --nis-domain=sta \
> > --unix-home=/home/${USERNAME} \
> > --uid-number=${NEXTID} \
> > --login-shell=/sbin/nologin \
> > --gid-number=513 \
> > --use-username-as-cn \
> > --home-drive=Z \
> > --home-directory=\\\\gecko\\${USERNAME} \
> > --profile-path=\\\\gecko\\profiles\\${USERNAME} \
> > --userou='OU=users,OU=tipping'
> >
> > I'm not sure I am using the "--userou" correctly. We store our active
> > users in a separate users OU within one named for our domain, so if I
> > look at the distinguishedName attribute for a current user in ADUC it
> > looks like this:
> >
> > CN=adrian,OU=users,OU=tipping,DC=tipping,DC=lan
> >
> > The man page says this:
> >
> > --userou=USEROU       DN of alternative location (without domainDN
> > counterpart) to default CN=Users in which new user object will be
> > created. E.g. 'OU=<OU name>'
> >
> > If I get it wrong, will the command just fail or will it try to
> > create some incorrect OU that I will then have to figure out how to
> > clean up? Do you think I guessed correctly?
>
> The 'OU' must exist before you can create users in it, there is nothing
> in samba-tool that will create the 'OU', so if the 'OU' is wrong, the
> create will fail and yes, you seem to have guessed correctly.
>
> >
> > Also, did I get the (doubled) backslashes right in the windows paths?
>
> Not sure, You may have one too many '\' at the start, try creating a
> testuser and then examine the users object with ldbsearch.
>
> >
> > And should the home-drive be 'Z' or 'Z:'?
>
> Z:
>
> >
> > I guess a working example would help a lot for the parameters that
> > are not in any examples in "samba-tool user create --help". Thanks,
>
> If you are writing your own script, you could always by-pass samba-tool
> and use an ldif and add this with ldbmodify.
>
> Finally, are you really using '513' as the gidNumber for Domain Users ?
> if so, can I just comment that this is a dumb idea in my opinion ;-)
>
> Rowland
>


More information about the samba mailing list