[Samba] User management scripts in AD mode...

Marco Gaiarin gaio at sv.lnf.it
Fri Jun 23 15:34:48 UTC 2017


Mandi! Rowland Penny via samba
  In chel di` si favelave...

Sorry, i come back to that:

> Not sure what you are getting at here, if you add a user to a group in
> AD, you not only get a record in the group object, you also get a
> record in the users object
> 
> dn: CN=Unixgroup,CN=Users,DC=samdom,DC=example,DC=com
> .....
> member: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
> 
> dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
> .....
> memberOf: CN=Unixgroup,CN=Users,DC=samdom,DC=example,DC=com
> 
> So you don't have to modify the user at all, again samba-tool can do
> things like this for you, see 'samba-tool group --help'

Because i've not clear how group management works in AD. I'm using
'Active Directory Users and Computers', so i think a pretty standard
tool. Some question.

a) i've not found 'member' in user object.

b) membership are accounted in groups via the 'member' field in group
 object. Membership are expressed as full user DN.

c) if, for the group object, i add some member in 'UNIX Attributes',
 they are not saved (eg, if i add some user and i do 'Apply' and then
'OK', if i came back to the group, UNIX attributes membership are
empty.

d) if, for a user, i set a primary group in 'Member of' (NOT UNIX
 attributes), user object get a 'primaryGroupID' data with the RID of
the group, and DESAPPEAR the relative data 'member' in the group. Argh!


So, seems to me that:

1) probably for my fault, some of the UNIX data (eg, group membership)
 does not work. I think also can be irrilevant, because winbind/sssd
get unix membership by other way (eg, ''windows'' mempership and not
UNIX/rfc2203 ones).

2) if i need to know what users belog to group 'X', i've to catch all
 DN listed in 'member' of that group, AND all users that have
as 'primaryGroupID' the RID of the group.


I'm again a bit confused... ;-(((

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)



More information about the samba mailing list