Difference between revisions of "Maintaining Unix Attributes in AD using ADUC"

(Add introduction, minor edits here and there)
Line 1: Line 1:
'''The actions described in this section require to have the [[Setting_up_RFC2307_in_AD#Configuring_RFC2307_and_NIS_Extensions_in_a_Samba_AD|NIS Extensions]] enabled. Additionally, the Windows [[Installing RSAT|Remote Server Administration Tools (RSAT)]] have to be installed. See the [[Installing RSAT#Installation|RSAT installation section]], for installing all recommended modules. At least the functions <u>"AD DS Tools" and "Server for NIS Tools"</u> are required for the following steps!'''
+
= Introduction =
  
 +
In the following we describe how to set/edit the RFC2307 attributes used by [[Idmap_config_ad|idmap_ad]]. This requires to have [[Setting_up_RFC2307_in_AD#Check_if_NIS_Extensions_are_installed_in_your_Directory|NIS extensions]] installed in your AD and [[Setting_up_RFC2307_in_AD#Check_if_RFC2307_is_used_by_your_Domain_Controllers|RFC2307 enabled]] in each DCs smb.conf
  
 +
Install the [[Installing RSAT|Remote Server Administration Tools (RSAT)]], if not done yet and enable the advanced view ("View" / "Advanced features"). Modifications on user and group objects be done by the Domain Administrator, if you haven't set any [[Delegation/Account_management|delegations]].
  
  
  
= Using ADUC to set Unix Attributes on a user account =
+
 
 +
 
 +
= Setting attributes on an user account =
  
 
* Open ADUC.
 
* Open ADUC.
Line 11: Line 15:
 
* Right-click to a user account and choose properties.
 
* Right-click to a user account and choose properties.
  
* Navigate to the „UNIX Attributes“ tab.
+
* Navigate to the "UNIX Attributes" tab.
 
:''Note: If you don't see this tab, you haven't installed the [[Installing RSAT#Installation|RSAT function "Server for NIS Tools"]].''
 
:''Note: If you don't see this tab, you haven't installed the [[Installing RSAT#Installation|RSAT function "Server for NIS Tools"]].''
  
* When choosing the „NIS Domain“, the other fields are getting enabled. Fill the values as required.
+
* When choosing the "NIS Domain", the other fields are getting enabled. Fill the values as required.
 
:''Hint: As primary group you can only choose [[#Using_ADUC_to_set_Unix_Attributes_on_groups|groups, that have Unix attributes defined]]!''
 
:''Hint: As primary group you can only choose [[#Using_ADUC_to_set_Unix_Attributes_on_groups|groups, that have Unix attributes defined]]!''
  
 
:[[Image:ADUC_Unix_Attributes_User.png]]
 
:[[Image:ADUC_Unix_Attributes_User.png]]
  
* Click „OK“ to save your changes.
+
* Click "OK" to save your changes.
  
  
Line 25: Line 29:
  
  
= Using ADUC to set Unix Attributes on groups =
+
= Setting attributes on a group =
  
 
* Open ADUC.
 
* Open ADUC.
Line 31: Line 35:
 
* Right-click to a group and choose properties.
 
* Right-click to a group and choose properties.
  
* Navigate to the „UNIX Attributes“ tab.
+
* Navigate to the "UNIX Attributes" tab.
 
:''Note: If the tab isn't visible, you haven't installed the [[Installing RSAT#Installation|RSAT function "Server for NIS Tools"]].''
 
:''Note: If the tab isn't visible, you haven't installed the [[Installing RSAT#Installation|RSAT function "Server for NIS Tools"]].''
  
 
* The other fields are not enabled until the "NIS Domain" is chosen, fill the values as required.
 
* The other fields are not enabled until the "NIS Domain" is chosen, fill the values as required.
:''Hint: It's not required to add users to the group in this tab! Winbind, sssd and nslcd retrieve the account membership from the Windows groups (see „Member Of“-tab).''
+
:''Hint: It's not required to add users to the group in this tab! Winbind, sssd and nslcd retrieve the account membership from the Windows groups (see "Member Of"-tab).''
  
 
:[[Image:ADUC_Unix_Attributes_Groups.png]]
 
:[[Image:ADUC_Unix_Attributes_Groups.png]]
  
* Click „OK“ to save your changes.
+
* Click "OK" to save your changes.
  
  
Line 47: Line 51:
 
= Defining the next UID/GID to use =
 
= Defining the next UID/GID to use =
  
Every time a UID/GID is assigned using Active Directory Users and Computers (ADUC), <u>the next</u> unused UID/GID is stored inside the Active Directory.
+
Everytime a UID/GID is assigned using Active Directory Users and Computers (ADUC), <u>the next</u> UID/GID is stored inside the Active Directory. By default, ADUC starts assigning UIDs and GIDs at 10000
  
By default, Active Directory starts assigning UIDs & GIDs at 10000, but the required attributes are not installed as standard by Samba4, however they are easy to add:
+
If you have setup a new Samba AD and want to use a different start value, before using the first time ADUC, you need to add the counting attributes first:
  
 
  # ldbedit -H /usr/local/samba/private/sam.ldb -b \
 
  # ldbedit -H /usr/local/samba/private/sam.ldb -b \
 
   CN=samdom,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com
 
   CN=samdom,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com
 
Add the following two attributes and save the changes.
 
  
 
  msSFU30MaxUidNumber: 10000
 
  msSFU30MaxUidNumber: 10000
 
  msSFU30MaxGidNumber: 10000
 
  msSFU30MaxGidNumber: 10000
  
You do not need to use 10000 for the first UID/GID that will be assigned. E. g. if you require to start UIDs at 20000 and GID at 50000, change the values to your requirements:
+
With the same command you can change the values. E. g. if you require to start UIDs at 20000 and GIDs at 50000, adapt the values to your requirements:
  
 
  msSFU30MaxUidNumber: 20000
 
  msSFU30MaxUidNumber: 20000
 
  msSFU30MaxGidNumber: 50000
 
  msSFU30MaxGidNumber: 50000

Revision as of 18:06, 18 October 2015

Introduction

In the following we describe how to set/edit the RFC2307 attributes used by idmap_ad. This requires to have NIS extensions installed in your AD and RFC2307 enabled in each DCs smb.conf

Install the Remote Server Administration Tools (RSAT), if not done yet and enable the advanced view ("View" / "Advanced features"). Modifications on user and group objects be done by the Domain Administrator, if you haven't set any delegations.



Setting attributes on an user account

  • Open ADUC.
  • Right-click to a user account and choose properties.
  • Navigate to the "UNIX Attributes" tab.
Note: If you don't see this tab, you haven't installed the RSAT function "Server for NIS Tools".
  • When choosing the "NIS Domain", the other fields are getting enabled. Fill the values as required.
Hint: As primary group you can only choose groups, that have Unix attributes defined!
File:ADUC Unix Attributes User.png
  • Click "OK" to save your changes.



Setting attributes on a group

  • Open ADUC.
  • Right-click to a group and choose properties.
  • Navigate to the "UNIX Attributes" tab.
Note: If the tab isn't visible, you haven't installed the RSAT function "Server for NIS Tools".
  • The other fields are not enabled until the "NIS Domain" is chosen, fill the values as required.
Hint: It's not required to add users to the group in this tab! Winbind, sssd and nslcd retrieve the account membership from the Windows groups (see "Member Of"-tab).
File:ADUC Unix Attributes Groups.png
  • Click "OK" to save your changes.



Defining the next UID/GID to use

Everytime a UID/GID is assigned using Active Directory Users and Computers (ADUC), the next UID/GID is stored inside the Active Directory. By default, ADUC starts assigning UIDs and GIDs at 10000

If you have setup a new Samba AD and want to use a different start value, before using the first time ADUC, you need to add the counting attributes first:

# ldbedit -H /usr/local/samba/private/sam.ldb -b \
  CN=samdom,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com
msSFU30MaxUidNumber: 10000
msSFU30MaxGidNumber: 10000

With the same command you can change the values. E. g. if you require to start UIDs at 20000 and GIDs at 50000, adapt the values to your requirements:

msSFU30MaxUidNumber: 20000
msSFU30MaxGidNumber: 50000