[Samba] Maintaining Unix Attributes in AD using ADUC?

[Rowland penny]

On 02/04/2021 11:22, Matthias Leopold via samba wrote:
> Hi,
>
> after reading the documentation on RFC2307 attributes in Samba AD I 
> still wasn't sure if UID/GID attributes would be _automatically_ 
> assigned to new users/groups that where added with _ADUC_.
>
> wiki.samba.org says:
> "When using the ADUC utility, the user and group IDs are automatically 
> tracked inside AD and incremented when creating a new user or group." 
> (https://wiki.samba.org/index.php/Idmap_config_ad)
>
> "Every time a UID/GID number is assigned using Active Directory Users 
> and Computers (ADUC), the next UID/GID number is stored inside the 
> Active Directory. By default, ADUC starts assigning UID and GID 
> numbers at 10000." 
> (https://wiki.samba.org/index.php/Maintaining_Unix_Attributes_in_AD_using_ADUC)
>
> Now I tried it with a domain where RFC2307 was set up after 
> provisioning 
> (https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Installing_the_NIS_Extensions).
> Additionally I set msSFU30MaxUidNumber/msSFU30MaxGidNumber to custom 
> values.
>
> I then created a user in ADUC, but uidnumber wasn't assigned, same for 
> group and gidnumber. The question is: should these attributes have 
> been assigned automatically? Did I miss something or is this not 
> supposed to happen?
> To me this is essential, because I want to delegate group creation in 
> AD to users, so if automatic GID assignment doesn't work I can't use 
> RFC2307 in Samba AD.
>
> thx
> Matthias
>
>

Do you have the Unix attributes tabs ? Or to put it another way, are you 
using Windows 10 which does not have them ?

Whilst Samba still has the ldap framework that the Unix Attributes tab 
relies on (Microsoft called it IDMU), Windows 10 no longer uses (or 
provides) IDMU.

You can use samba-tool to create users and groups with RFC2307, but you 
will have to maintain the next Unix ID yourself. This is also ADMan, see 
here:

https://gitlab.com/JonathonReinhart/adman

Rowland