Administer Unix Attributes in AD using samba-tool and ldb-tools: Difference between revisions
m (CN=Users (plural), not User, for groups too) |
(samba-tool can be used to assign/modify unix attributes for the user, ldif & ldbmodify is the hardcore way) |
||
Line 40: | Line 40: | ||
= Adding Unix attributes to an existing user account = |
= Adding Unix attributes to an existing user account = |
||
* Direct command-line way using samba-tool: |
|||
⚫ | |||
samba-tool user addunixattrs sambauser uid --gid=number=gid --login-shell=/bin/bash --unix-home=/home/sambauser |
|||
* Interactive way with samba-tool: |
|||
samba-tool user edit sambauser |
|||
This will open up an interactive editor (or use --editor=nano). |
|||
Add the uidNumber, gidNumber, gecos, loginShell, unixHomeDirectory attributes. |
|||
* Non-interactive way with ldb-modify: |
|||
This will manipulate the underlying database directly. |
|||
⚫ | |||
dn: CN=sambauser,CN=Users,DC=samdom,DC=example,DC=com |
dn: CN=sambauser,CN=Users,DC=samdom,DC=example,DC=com |
||
Line 65: | Line 80: | ||
unixHomeDirectory: /home/sambauser |
unixHomeDirectory: /home/sambauser |
||
⚫ | |||
* Close and save the ldif. |
|||
⚫ | |||
ldbmodify -H /usr/local/samba/private/sam.ldb /tmp/user.ldif -U Administrator |
ldbmodify -H /usr/local/samba/private/sam.ldb /tmp/user.ldif -U Administrator |
||
= Creating a Unix group with samba-tool = |
= Creating a Unix group with samba-tool = |
Revision as of 14:09, 11 February 2022
Introduction
The following describes how to set/edit the RFC2307 attributes used by idmap_ad. This requires to have NIS extensions installed in your AD. To administer the UNIX attributes via the Command line you should install ldb-tools ldbsearch, ldbmodify etc
, if not already installed. Modifications on user and group objects will be done by the Domain Administrator, if you haven't set any delegations.
Names and Addresses used on this page
- username : sambauser
- groupname : sambagroup
- Computer name : sambacomputer
- domain naming context : DC=samdom,DC=example,DC=com
- Netbios domain name : samdom (aka workgroup)
- ID range : 10000-999999
- Domain Users gidNumber : 10000
- login shell : /bin/bash
![]() | Ensure that you use unique values for new users and groups. |
Creating a Unix user with samba-tool
- Open a terminal on a DC and enter the following command:
samba-tool user create sambauser passw5rd* --nis-domain=samdom --unix-home=/home/sambauser --uid-number=10005 --login-shell=/bin/bash --gid-number=10000
Adding Unix attributes to an existing user account
- Direct command-line way using samba-tool:
samba-tool user addunixattrs sambauser uid --gid=number=gid --login-shell=/bin/bash --unix-home=/home/sambauser
- Interactive way with samba-tool:
samba-tool user edit sambauser
This will open up an interactive editor (or use --editor=nano). Add the uidNumber, gidNumber, gecos, loginShell, unixHomeDirectory attributes.
- Non-interactive way with ldb-modify:
This will manipulate the underlying database directly.
Create an ldif (/tmp/user.ldif) containing something similar to the following information.
dn: CN=sambauser,CN=Users,DC=samdom,DC=example,DC=com changetype: modify add: uid uid: sambauser - add: msSFU30Name msSFU30Name: sambauser - add: msSFU30NisDomain msSFU30NisDomain: samdom - add: uidNumber uidNumber: 10001 - add: gidNumber gidNumber: 10000 - add: loginShell loginShell: /bin/bash - add: unixHomeDirectory unixHomeDirectory: /home/sambauser
Add the data with the following command
ldbmodify -H /usr/local/samba/private/sam.ldb /tmp/user.ldif -U Administrator
Creating a Unix group with samba-tool
- Open a terminal on a DC and enter the following command:
samba-tool group add sambagroup --nis-domain=samdom --gid-number=12345
Adding Unix attributes to an existing group
- Create an ldif (/tmp/group.ldif) containing something similar to the following information.
dn: CN=sambagroup,CN=Users,DC=samdom,DC=example,DC=com changetype: modify add: msSFU30NisDomain msSFU30NisDomain: samdom - add: msSFU30Name msSFU30Name: sambagroup - add: gidNumber gidNumber: 10001
- Close and save the ldif.
- Add the data with the following command
ldbmodify -H /usr/local/samba/private/sam.ldb /tmp/group.ldif -U Administrator
Adding Unix attributes to an existing computer account
You need to set the uidNumber attribute to access samba shares on a domain with the Windows machine network account.
- Create an ldif (/tmp/computer.ldif) containing something similar to the following information.
dn: CN=sambacomputer,CN=Computers,DC=samdom,DC=example,DC=com changetype: modify add: uidNumber uidNumber: 10001
- Close and save the ldif.
- Add the data with the following command
ldbmodify -H /usr/local/samba/private/sam.ldb /tmp/computer.ldif -U Administrator