[Samba] id mapping on a dc+file server

Fri Aug 9 10:49:30 UTC 2019

On 09/08/2019 10:33, Pisch Tamás via samba wrote:
>> You have to give any users you require visible on Unix a uidNumber attribute
> Ok, I can do it with samba-tool user edit...
>> You have to give 'Domain Users'  a gidNumber attribute.
>> You have to give any group you require to be visible a gidNumber
> I know that I can set gidNumber when I create a group, but how can I
> edit the group properties?
>
Try the attached script, ( you will need to make it executable), you 
will need the ldb-tools package installed and it must be run on a Samba 
AD DC

Rowland

-------------- next part --------------
#!/bin/bash

#  ldbaddgidtogroup : adds a gidNumber to a group in AD
#  Version 1.0 09/08/19

#  Copyright (C) 2019 Rowland Penny
#
#  This program is free software; you can redistribute it and/or
#  modify it under the terms of the GNU General Public License
#  as published by the Free Software Foundation; either version 2
#  of the License, or (at your option) any later version.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License
#  along with this program; if not, write to the Free Software
#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
#  USA.

if [ -z "$1" ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
    echo "Usage : $0 <groupname> <gidNumber>"
    exit 1
fi

if [ "$#" -ne 2 ]; then
    echo "Usage : $0 <groupname> <gidNumber>"
    exit 1
fi

_GROUP="$1"
G_GID="$2"

P_DIR=$(samba -b | grep 'PRIVATE_DIR' | awk '{print $NF}')
SAM="${P_DIR}/sam.ldb"
SUFFIX=$(echo "dc=$(hostname -d)" | sed 's/\./,dc=/g')

# Find groupname : $_GROUP must exist in AD !
_RESULT=$(ldbsearch -H ${SAM} -b "$SUFFIX" -s sub "(&(objectClass=group)(sAMAccountName=$_GROUP))" "*")

# Get Groups DN
_ENTRY=$(echo "$_RESULT" | grep "dn: ")
if [ -z "$_ENTRY" ]; then
    echo "Group $_GROUP not found in AD"
    exit 1
fi

# Check for gidNumber : $1 must not have one !
_GID=$(echo "$_RESULT" | grep "gidNumber: " | sed "s|gidNumber: ||")
if [ -n "$_GID" ]; then
    echo "Group $1 already has a gidNumber!"
    exit 1
fi

# Create LDIF
tmp_group="$_ENTRY
changetype: modify
add: gidNumber
gidNumber: $G_GID
-
"

# Modify group entry
echo "$tmp_group" | ldbmodify -H ${SAM} > /dev/null 2>&1
if [ $? != 0 ]; then
    echo "Error adding gidNumber to group $1"
    exit 1
fi
unset tmp_group
echo "Successfully added gidNumber to group $1"

exit 0