Administer Unix Attributes in AD using samba-tool and ldb-tools

From SambaWiki

Introduction

The following describes how to set/edit the RFC2307 attributes used by idmap_ad. This requires to have NIS extensions installed in your AD. To administer the UNIX attributes via the Command line you should install ldb-tools ldbsearch, ldbmodify etc, if not already installed. Modifications on user and group objects will be done by the Domain Administrator, if you haven't set any delegations.



Names and Addresses used on this page

  • username  : sambauser
  • groupname  : sambagroup
  • Computer name  : sambacomputer
  • domain naming context  : DC=samdom,DC=example,DC=com
  • Netbios domain name  : samdom (aka workgroup)
  • ID range  : 10000-999999
  • Domain Users gidNumber : 10000
  • login shell  : /bin/bash



Creating a Unix user with samba-tool

  • Open a terminal on a DC and enter the following command:
samba-tool user create sambauser passw5rd* --nis-domain=samdom --unix-home=/home/sambauser --uid-number=10005 --login-shell=/bin/bash --gid-number=10000



Adding Unix attributes to an existing user account

Direct command-line way using samba-tool

samba-tool user addunixattrs sambauser uid --gid-number=gid --login-shell=/bin/bash --unix-home=/home/sambauser

Interactive way with samba-tool

samba-tool user edit sambauser

This will open up an interactive editor (or use --editor=nano). Add the uidNumber, gidNumber, gecos, loginShell, unixHomeDirectory attributes.

Non-interactive way with ldb-modify

This will manipulate the underlying database directly.

Create an ldif (/tmp/user.ldif) containing something similar to the following information.

dn: CN=sambauser,CN=Users,DC=samdom,DC=example,DC=com
changetype: modify
add: uid
uid: sambauser
-
add: msSFU30Name
msSFU30Name: sambauser
-
add: msSFU30NisDomain
msSFU30NisDomain: samdom
-
add: uidNumber
uidNumber: 10001
-
add: gidNumber
gidNumber: 10000
-
add: loginShell
loginShell: /bin/bash
-
add: unixHomeDirectory
unixHomeDirectory: /home/sambauser

Add the data with the following command

ldbmodify -H /usr/local/samba/private/sam.ldb /tmp/user.ldif -U Administrator

Creating a Unix group with samba-tool

  • Open a terminal on a DC and enter the following command:
samba-tool group add sambagroup --nis-domain=samdom --gid-number=12345



Adding Unix attributes to an existing group

Direct command-line way using samba-tool

Usage: samba-tool group addunixattrs <groupname> <gidnumber>

To add the GID 10000 to Domain Users, you would do this (as root)

samba-tool group addunixattrs 'Domain Users' 10000


Using ldbmodify and an ldif

  • Create an ldif (/tmp/group.ldif) containing something similar to the following information.
dn: CN=sambagroup,CN=Users,DC=samdom,DC=example,DC=com
changetype: modify
add: msSFU30NisDomain
msSFU30NisDomain: samdom
-
add: msSFU30Name
msSFU30Name: sambagroup
-
add: gidNumber
gidNumber: 10001


  • Close and save the ldif.
  • Add the data with the following command
ldbmodify -H /usr/local/samba/private/sam.ldb /tmp/group.ldif -U Administrator



Adding Unix attributes to an existing computer account

You need to set the uidNumber attribute to access samba shares on a domain with the Windows machine network account.

  • Create an ldif (/tmp/computer.ldif) containing something similar to the following information.
dn: CN=sambacomputer,CN=Computers,DC=samdom,DC=example,DC=com
changetype: modify
add: uidNumber
uidNumber: 10001
  • Close and save the ldif.
  • Add the data with the following command
ldbmodify -H /usr/local/samba/private/sam.ldb /tmp/computer.ldif -U Administrator