[Samba] Maintaining Unix Attributes in AD - best practice?

Henry Jensen hjensen at mailbox.org
Thu May 24 10:12:54 UTC 2018


we are testing migration from a NT style Samba 3 domain to a Samba 4 AD
domain. As we are keeping RFC2307 Unix Attributes in the AD we also
want to add them to future accounts.

Because the Unix Attributes tab is no lopnger available since Windows
10, I am looking for the best way to add Unix attibutes to users. 

I know that setting Unix attributes in Windows 10 ADUC tool is possible
manually, but certainly not the best way. And keeping a Windows 7
station with RSAT tools online isn't the best solution either,
especially when security support for Windows 7 runs out in 2020.

So, what would be the best was to add Unix attributes to AD? 
I read on this list, that adding AD users with "samba-tool --uid-number" is discouraged.

There are some specialized distros which are offering decent web interfaces to
Samba AD (e.g. Univention UCS, Zentyal) and do so also create Unix
attributes, but it seems that this web interfaces can not be used
outside these "appliances". Such a web interface would be ideal.

As second best solution I imagine a script which retrieves the
necessary data interactively (with a TUI, GUI or web frontend), creates a
LDIF file and adds the User via ldbadd. 

Are there any solutions for this in the works or what is the best way?

Kind regards,


More information about the samba mailing list