[Samba] Maintaining Unix Attributes in AD using ADUC?

Matthias Leopold matthias.leopold at meduniwien.ac.at
Fri Apr 2 11:17:32 UTC 2021 


Am 02.04.21 um 12:57 schrieb Rowland penny via samba:
> On 02/04/2021 11:22, Matthias Leopold via samba wrote:
>> Hi,
>>
>> after reading the documentation on RFC2307 attributes in Samba AD I 
>> still wasn't sure if UID/GID attributes would be _automatically_ 
>> assigned to new users/groups that where added with _ADUC_.
>>
>> wiki.samba.org says:
>> "When using the ADUC utility, the user and group IDs are automatically 
>> tracked inside AD and incremented when creating a new user or group." 
>> (https://wiki.samba.org/index.php/Idmap_config_ad)
>>
>> "Every time a UID/GID number is assigned using Active Directory Users 
>> and Computers (ADUC), the next UID/GID number is stored inside the 
>> Active Directory. By default, ADUC starts assigning UID and GID 
>> numbers at 10000." 
>> (https://wiki.samba.org/index.php/Maintaining_Unix_Attributes_in_AD_using_ADUC) 
>>
>>
>> Now I tried it with a domain where RFC2307 was set up after 
>> provisioning 
>> (https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Installing_the_NIS_Extensions). 
>>
>> Additionally I set msSFU30MaxUidNumber/msSFU30MaxGidNumber to custom 
>> values.
>>
>> I then created a user in ADUC, but uidnumber wasn't assigned, same for 
>> group and gidnumber. The question is: should these attributes have 
>> been assigned automatically? Did I miss something or is this not 
>> supposed to happen?
>> To me this is essential, because I want to delegate group creation in 
>> AD to users, so if automatic GID assignment doesn't work I can't use 
>> RFC2307 in Samba AD.
>>
>> thx
>> Matthias
>>
>>
> 
> Do you have the Unix attributes tabs ? Or to put it another way, are you 
> using Windows 10 which does not have them ?
> 
> Whilst Samba still has the ldap framework that the Unix Attributes tab 
> relies on (Microsoft called it IDMU), Windows 10 no longer uses (or 
> provides) IDMU.
> 
> You can use samba-tool to create users and groups with RFC2307, but you 
> will have to maintain the next Unix ID yourself. This is also ADMan, see 
> here:
> 
> https://gitlab.com/JonathonReinhart/adman
> 
> Rowland
> 
> 
> 

I understood that Windows 10 doesn't have the "Unix attributes" tab, 
this is why I looked at the "Attribute editor" tab. There I see that 
UID/GID aren't assigned automatically (although the attribute is there). 
So this is the intended behaviour?
Unfortunately manually setting these attributes (by whatever means) for 
new users (I could do it for existing users) is not an option for me.

Matthias

More information about the samba mailing list