Difference between revisions of "Adding users with samba tool"

(Adding Users into Samba Active Directory: user add deprecated by create)
m (/* Total rewrite)
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
== Adding Users into Samba Active Directory ==
+
Adding Users into Samba Active Directory
Unlike Samba 3, Samba 4 does not require a local Unix user for each Samba user that is created.
 
  
To create a Samba user, use the following command:
+
{{Imbox
 +
| type = important
 +
| text = When running Samba 4 as an Active Directory domain, unlike Samba 3, you cannot have a local Unix user for each Samba user that is created.
 +
}}
  
/usr/local/samba/bin/samba-tool user create USERNAME
 
  
To inspect the allocated user ID and SID, use the following command:
+
There are a couple of ways you can create AD users with samba-tool:
 +
 
 +
* You can create users that are only Windows users.
 +
 
 +
* You can creates users that are Windows and Unix users.
 +
 
 +
 
 +
 
 +
 
 +
= Creating a Windows user =
 +
 +
To create an Windows user, use the following command:
 +
 
 +
/usr/local/samba/bin/samba-tool user create user1
 +
 
 +
You can, if you so wish, add further options:
 +
 
 +
{| class="wikitable"
 +
!Option
 +
!Explanation
 +
|-
 +
|<code>--given-name</code>
 +
|User's given name.
 +
|-
 +
|<code>--surname</code>
 +
|User's surname.
 +
|-
 +
|<code>--initials</code>
 +
|User's initials.
 +
|-
 +
|<code>--userou</code>
 +
|DN of alternative location (without domainDN counterpart) to default CN=Users in which new user object will be created. E. g. 'OU=<OU name>.
 +
|-
 +
|<code>--profile-path</code>
 +
|User's profile path.
 +
|-
 +
|<code>--script-path</code>
 +
|User's logon script path.
 +
|-
 +
|<code>--home-drive</code>
 +
|User's home drive letter.
 +
|-
 +
|<code>--home-directory</code>
 +
|User's home directory path.
 +
|}
 +
 
 +
 
 +
 
 +
 
 +
= Creating a Windows and Unix user =
 +
 
 +
{{Imbox
 +
| type = note
 +
| text = All Active Directory users are primarily Windows users, you need to extend them with further attributes, to make them Unix users as well.
 +
}}
 +
 
 +
 
 +
To create a Unix user, you use the same command used to create a Windows, but you must add these options:
 +
 
 +
{| class="wikitable"
 +
!Option
 +
!Explanation
 +
|-
 +
|<code>--nis-domain</code>
 +
|User's Unix/RFC2307 NIS domain.
 +
|-
 +
|<code>--uid-number</code>
 +
|User's Unix/RFC2307 numeric UID.
 +
|-
 +
|<code>--login-shell</code>
 +
|User's Unix/RFC2307 login shell.
 +
|-
 +
|<code>--unix-home</code>
 +
|User's Unix/RFC2307 home directory.
 +
|-
 +
|<code>--gid-number</code>
 +
|User's Unix/RFC2307 primary GID number.
 +
|-
 +
|}
 +
 
 +
 
 +
There are two other options available, if you do not supply these, they will be set for you:
 +
 
 +
{| class="wikitable"
 +
!Option
 +
!Explanation
 +
|-
 +
|<code>--uid</code>
 +
|User's Unix/RFC2307 username.
 +
|-
 +
|<code>--gecos</code>
 +
|User's Unix/RFC2307 GECOS field.
 +
|}
 +
 
 +
 
 +
 
 +
 
 +
= Further options available =
 +
 
 +
There are several other options available, these are applicable whether you are creating a Windows or a Unix user:
 +
 
 +
{| class="wikitable"
 +
!Option
 +
!Explanation
 +
|-
 +
|<code>--must-change-at-next-login</code>
 +
|Force password to be changed on next login.
 +
|-
 +
|<code>--use-username-as-cn</code>
 +
|Force use of username as user's CN.
 +
|-
 +
|<code>--smartcard-required</code>
 +
|Require a smartcard for interactive logons.
 +
|-
 +
|<code>--job-title</code>
 +
|User's job title.
 +
|-
 +
|<code>--department</code>
 +
|User's department.
 +
|-
 +
|<code>--company</code>
 +
|User's company.
 +
|-
 +
|<code>--description</code>
 +
|User's description.
 +
|-
 +
|<code>--mail-address</code>
 +
|User's email address.
 +
|-
 +
|<code>--internet-address</code>
 +
|User's home page.
 +
|-
 +
|<code>--telephone-number</code>
 +
|User's phone number.
 +
|-
 +
|<code>--physical-delivery-office</code>
 +
|User's office location.
 +
|-
 +
|}
 +
 
 +
 
 +
 
 +
= Adding Unix attributes to a Windows user =
 +
 
 +
If you create a Windows user and then need to make it a Unix user as well, you can do it this way:
 +
 
 +
Find the SID allocated to the user by using the following command on a Samba DC:
 +
 
 +
$ /usr/local/samba/bin/wbinfo --name-to-sid user1
 +
 
 +
It should display something like this:
  
$ /usr/local/samba/bin/wbinfo --name-to-sid USERNAME
 
 
  S-1-5-21-4036476082-4153129556-3089177936-1005 SID_USER (1)
 
  S-1-5-21-4036476082-4153129556-3089177936-1005 SID_USER (1)
+
 
 +
Now use this SID to find the users 'xidNumber' :
 +
 
 
  $ /usr/local/samba/bin/wbinfo --sid-to-uid S-1-5-21-4036476082-4153129556-3089177936-1005
 
  $ /usr/local/samba/bin/wbinfo --sid-to-uid S-1-5-21-4036476082-4153129556-3089177936-1005
 +
 +
Again, the command should return something like this:
 +
 
  3000011
 
  3000011
  
If you want to change this mapping, then use <tt>ldbedit</tt> on the <tt>/usr/local/samba/private/idmap.ldb</tt>, as shown:
+
This user is mapped to the ID '3000011', this is only valid on a DC. If your user will only connect to files stored the DC, you can stop here.
 +
 
 +
 
 +
If your user will connect to a Unix domain member and you will be using the winbind 'ad' backend, you must add 'uidNumber' and 'gidNumber' attributes to the users object in /usr/local/samba/private/sam.ldb
 +
 
 +
One way of doing this, is with the Samba tool 'ldbedit:
 +
 
 +
$ ldbedit -e emacs -H /usr/local/samba/private/sam.ldb objectsid=S-1-5-21-4036476082-4153129556-3089177936-1005
 +
 
 +
{{Imbox
 +
| type = note
 +
| text = You can replace emacs with your editor of choice.
 +
}}
 +
 
 +
 
 +
Find the record for 'user1', it will start like this:
  
  $ ldbedit -e emacs -H /usr/local/samba/private/idmap.ldb objectsid=S-1-5-21-4036476082-4153129556-3089177936-1005
+
  dn: CN=user1,CN=Users,DC=samdom,DC=example,DC=com
 +
objectClass: top
 +
objectClass: person
 +
objectClass: organizationalPerson
 +
objectClass: user
 +
cn: user1
  
*Note: You can replace <tt>emacs</tt> with your editor of choice.
 
  
You will find records that look like this:
+
If you add attributes similar to these:
  
  # record 1
+
  uidNumber: 10000
dn: CN=S-1-5-21-4036476082-4153129556-3089177936-1005
+
  gidNumber: 10000
cn: S-1-5-21-4036476082-4153129556-3089177936-1005
 
objectClass: sidMap
 
objectSid: S-1-5-21-4036476082-4153129556-3089177936-1005
 
type: ID_TYPE_BOTH
 
xidNumber: 3000011
 
  distinguishedName: CN=S-1-5-21-4036476082-4153129556-3089177936-1005
 
  
If you change the <tt>xidNumber</tt> attribute and save your editor then exit,
+
Then save and exit, Samba will then use ID '10000' for the users Unix ID and the group ID '10000'. Before Samba 4.6.0, you will also have to give 'Domain Users' the 'gidNumber' '10000', but from 4.6.0, you can use the 'gidNumber' for any Unix group you have created in AD and this wil become the users primary Unix group.
then Samba will update the mapping to between the SID and the user
 
ID. Updating group mappings works in the same way.
 

Latest revision as of 08:19, 11 June 2017

Adding Users into Samba Active Directory


There are a couple of ways you can create AD users with samba-tool:

  • You can create users that are only Windows users.
  • You can creates users that are Windows and Unix users.



Creating a Windows user

To create an Windows user, use the following command:

/usr/local/samba/bin/samba-tool user create user1

You can, if you so wish, add further options:

Option Explanation
--given-name User's given name.
--surname User's surname.
--initials User's initials.
--userou DN of alternative location (without domainDN counterpart) to default CN=Users in which new user object will be created. E. g. 'OU=<OU name>.
--profile-path User's profile path.
--script-path User's logon script path.
--home-drive User's home drive letter.
--home-directory User's home directory path.



Creating a Windows and Unix user


To create a Unix user, you use the same command used to create a Windows, but you must add these options:

Option Explanation
--nis-domain User's Unix/RFC2307 NIS domain.
--uid-number User's Unix/RFC2307 numeric UID.
--login-shell User's Unix/RFC2307 login shell.
--unix-home User's Unix/RFC2307 home directory.
--gid-number User's Unix/RFC2307 primary GID number.


There are two other options available, if you do not supply these, they will be set for you:

Option Explanation
--uid User's Unix/RFC2307 username.
--gecos User's Unix/RFC2307 GECOS field.



Further options available

There are several other options available, these are applicable whether you are creating a Windows or a Unix user:

Option Explanation
--must-change-at-next-login Force password to be changed on next login.
--use-username-as-cn Force use of username as user's CN.
--smartcard-required Require a smartcard for interactive logons.
--job-title User's job title.
--department User's department.
--company User's company.
--description User's description.
--mail-address User's email address.
--internet-address User's home page.
--telephone-number User's phone number.
--physical-delivery-office User's office location.


Adding Unix attributes to a Windows user

If you create a Windows user and then need to make it a Unix user as well, you can do it this way:

Find the SID allocated to the user by using the following command on a Samba DC:

$ /usr/local/samba/bin/wbinfo --name-to-sid user1

It should display something like this:

S-1-5-21-4036476082-4153129556-3089177936-1005 SID_USER (1)

Now use this SID to find the users 'xidNumber' :

$ /usr/local/samba/bin/wbinfo --sid-to-uid S-1-5-21-4036476082-4153129556-3089177936-1005

Again, the command should return something like this:

3000011

This user is mapped to the ID '3000011', this is only valid on a DC. If your user will only connect to files stored the DC, you can stop here.


If your user will connect to a Unix domain member and you will be using the winbind 'ad' backend, you must add 'uidNumber' and 'gidNumber' attributes to the users object in /usr/local/samba/private/sam.ldb

One way of doing this, is with the Samba tool 'ldbedit:

$ ldbedit -e emacs -H /usr/local/samba/private/sam.ldb objectsid=S-1-5-21-4036476082-4153129556-3089177936-1005


Find the record for 'user1', it will start like this:

dn: CN=user1,CN=Users,DC=samdom,DC=example,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: user1


If you add attributes similar to these:

uidNumber: 10000
gidNumber: 10000

Then save and exit, Samba will then use ID '10000' for the users Unix ID and the group ID '10000'. Before Samba 4.6.0, you will also have to give 'Domain Users' the 'gidNumber' '10000', but from 4.6.0, you can use the 'gidNumber' for any Unix group you have created in AD and this wil become the users primary Unix group.