Difference between revisions of "Maintaining Unix Attributes in AD using ADUC"

m (grammar)
 
(25 intermediate revisions by 7 users not shown)
Line 1: Line 1:
 
= Introduction =
 
= Introduction =
  
In the following we describe how to set/edit the RFC2307 attributes used by [[Idmap_config_ad|idmap_ad]]. This requires to have [[Setting_up_RFC2307_in_AD#Check_if_NIS_Extensions_are_installed_in_your_Directory|NIS extensions]] installed in your AD and [[Setting_up_RFC2307_in_AD#Check_if_RFC2307_is_used_by_your_Domain_Controllers|RFC2307 enabled]] in each DCs smb.conf
+
In the following we describe how to set/edit the RFC2307 attributes used by [[Idmap_config_ad|idmap_ad]]. This requires to have [[Setting_up_RFC2307_in_AD#Verifying_the_Domain_Controller_and_Active_Directory_Setup|NIS extensions]] installed in your AD. To administer the UNIX attributes via the Windows GUI you should install the [[Installing RSAT|Remote Server Administration Tools (RSAT)]], if not already installed and enable the advanced view ("View" / "Advanced features"). Modifications on user and group objects will be done by the Domain Administrator, if you haven't set any [[Delegation/Account_management|delegations]].
  
Install the [[Installing RSAT|Remote Server Administration Tools (RSAT)]], if not already installed and enable the advanced view ("View" / "Advanced features"). Modifications on user and group objects will be done by the Domain Administrator, if you haven't set any [[Delegation/Account_management|delegations]].
+
{{Imbox
 +
| type = important
 +
| text = ADUC, running on Windows 10 and Windows Server 2016, no longer displays the "Unix Attributes" tab in user or group properties. For details, see [[Installing_RSAT#Missing_Unix_Attributes_tab_in_ADUC_on_Windows_10_and_Windows_Server_2016|Missing Unix Attributes tab in ADUC on Windows 10 and Windows Server 2016]].
 +
}}
  
  
Line 18: Line 21:
 
:''Note: If you don't see this tab, you haven't installed the [[Installing RSAT#Installation|RSAT function "Server for NIS Tools"]].''
 
:''Note: If you don't see this tab, you haven't installed the [[Installing RSAT#Installation|RSAT function "Server for NIS Tools"]].''
  
* When choosing the "NIS Domain", the other fields are getting enabled. Fill the values as required.
+
* The other fields are not enabled until the "NIS Domain" is chosen. Fill the values as required.
:''Hint: As primary group you can only choose [[#Using_ADUC_to_set_Unix_Attributes_on_groups|groups, that have Unix attributes defined]]!''
+
:''Hint: You can only choose a primary group [[#Using_ADUC_to_set_Unix_Attributes_on_groups|that has had Unix attributes defined]]!''
  
:[[Image:ADUC_Unix_Attributes_User.png]]
+
:[[Image:ADUC_UNIX_Attributes_User.png]]
  
 
* Click "OK" to save your changes.
 
* Click "OK" to save your changes.
Line 39: Line 42:
  
 
* The other fields are not enabled until the "NIS Domain" is chosen, fill the values as required.
 
* The other fields are not enabled until the "NIS Domain" is chosen, fill the values as required.
:''Hint: It's not required to add users to the group in this tab! Winbind, sssd and nslcd retrieve the account membership from the Windows groups (see "Member Of"-tab).''
+
:''Hint: It's not required to add users to the group in this tab! Winbind retrieves the account membership from the Windows groups (see "Member Of"-tab).''
  
:[[Image:ADUC_Unix_Attributes_Groups.png]]
+
:[[Image:ADUC_UNIX_Attributes_Groups.png]]
  
 
* Click "OK" to save your changes.
 
* Click "OK" to save your changes.
Line 49: Line 52:
  
  
= Defining the next UID/GID to use =
+
= Curses ADUC =
  
Everytime a UID/GID is assigned using Active Directory Users and Computers (ADUC), <u>the next</u> UID/GID is stored inside the Active Directory. By default, ADUC starts assigning UIDs and GIDs at 10000
+
You can alternatively use the curses ADUC module to maintain Unix Attributes in AD. You can download an [https://appimage.github.io/admin-tools/ AppImage here].
  
If you have setup a new Samba AD and want to use a different start value, before using ADUC for the first time, you need to add the counting attributes first:
+
= Setting attributes on an user account =
 +
 
 +
* Run the admin-tools AppImage, then choose Active Directory Users and Computers.
 +
 
 +
* Right-click on a user account and choose properties.
 +
 
 +
* Navigate to the "UNIX Attributes" tab.
 +
 
 +
[[File:YaST_ADUC_UNIX_Attributes_User.png]]
 +
 
 +
* Click "OK" to save your changes.
 +
 
 +
= Setting attributes on a group =
 +
 
 +
* Run the admin-tools AppImage, then choose Active Directory Users and Computers.
 +
 
 +
* Right-click on a group and choose properties.
 +
 
 +
[[File:YaST_ADUC_UNIX_Attributes_Groups.png]]
 +
 
 +
* Click "OK" to save your changes.
 +
 
 +
= Setting attributes on a computer account =
 +
You need to set the uidNumber attribute to access samba shares on a domain with the Windows machine network account.
 +
 
 +
* Open ADUC.
 +
 
 +
* Right-click to a computer account and choose properties.
 +
 
 +
* Navigate to the "Attribute Editor" tab.
 +
:''Note: If you don't see this tab, you haven't installed the [[Installing RSAT#Installation|RSAT function "Server for NIS Tools"]].''
 +
 
 +
* Scroll down to the "uidNumber" attribute, select it, click edit, enter a value, click "OK"
 +
:''Note: Ensure that you enter a unique value.
 +
 
 +
* Click "OK" to save your changes.
 +
 
 +
= Defining the next UID/GID number to use =
 +
 
 +
Every time a UID/GID number is assigned using Active Directory Users and Computers (ADUC), <u>the next</u> UID/GID number is stored inside the Active Directory. By default, ADUC starts assigning UID and GID numbers at 10000.
 +
 
 +
If you setup a new Samba AD and want to use a different start value, you will need to add the counting attributes before using ADUC for the first time:
  
 
  # ldbedit -H /usr/local/samba/private/sam.ldb -b \
 
  # ldbedit -H /usr/local/samba/private/sam.ldb -b \
Line 61: Line 105:
 
  msSFU30MaxGidNumber: 10000
 
  msSFU30MaxGidNumber: 10000
  
With the same command you can change the values. E. g. if you require to start UIDs at 20000 and GIDs at 50000, adapt the values to your requirements:
 
  
msSFU30MaxUidNumber: 20000
+
 
msSFU30MaxGidNumber: 50000
+
 
 +
 
 +
 
 +
 
 +
----
 +
[[Category:Active Directory]]
 +
[[Category:User Management]]

Latest revision as of 19:55, 6 August 2019

Introduction

In the following we describe how to set/edit the RFC2307 attributes used by idmap_ad. This requires to have NIS extensions installed in your AD. To administer the UNIX attributes via the Windows GUI you should install the Remote Server Administration Tools (RSAT), if not already installed and enable the advanced view ("View" / "Advanced features"). Modifications on user and group objects will be done by the Domain Administrator, if you haven't set any delegations.



Setting attributes on an user account

  • Open ADUC.
  • Right-click to a user account and choose properties.
  • Navigate to the "UNIX Attributes" tab.
Note: If you don't see this tab, you haven't installed the RSAT function "Server for NIS Tools".
  • The other fields are not enabled until the "NIS Domain" is chosen. Fill the values as required.
Hint: You can only choose a primary group that has had Unix attributes defined!
ADUC UNIX Attributes User.png
  • Click "OK" to save your changes.



Setting attributes on a group

  • Open ADUC.
  • Right-click to a group and choose properties.
  • Navigate to the "UNIX Attributes" tab.
Note: If the tab isn't visible, you haven't installed the RSAT function "Server for NIS Tools".
  • The other fields are not enabled until the "NIS Domain" is chosen, fill the values as required.
Hint: It's not required to add users to the group in this tab! Winbind retrieves the account membership from the Windows groups (see "Member Of"-tab).
ADUC UNIX Attributes Groups.png
  • Click "OK" to save your changes.



Curses ADUC

You can alternatively use the curses ADUC module to maintain Unix Attributes in AD. You can download an AppImage here.

Setting attributes on an user account

  • Run the admin-tools AppImage, then choose Active Directory Users and Computers.
  • Right-click on a user account and choose properties.
  • Navigate to the "UNIX Attributes" tab.

YaST ADUC UNIX Attributes User.png

  • Click "OK" to save your changes.

Setting attributes on a group

  • Run the admin-tools AppImage, then choose Active Directory Users and Computers.
  • Right-click on a group and choose properties.

YaST ADUC UNIX Attributes Groups.png

  • Click "OK" to save your changes.

Setting attributes on a computer account

You need to set the uidNumber attribute to access samba shares on a domain with the Windows machine network account.

  • Open ADUC.
  • Right-click to a computer account and choose properties.
  • Navigate to the "Attribute Editor" tab.
Note: If you don't see this tab, you haven't installed the RSAT function "Server for NIS Tools".
  • Scroll down to the "uidNumber" attribute, select it, click edit, enter a value, click "OK"
Note: Ensure that you enter a unique value.
  • Click "OK" to save your changes.

Defining the next UID/GID number to use

Every time a UID/GID number is assigned using Active Directory Users and Computers (ADUC), the next UID/GID number is stored inside the Active Directory. By default, ADUC starts assigning UID and GID numbers at 10000.

If you setup a new Samba AD and want to use a different start value, you will need to add the counting attributes before using ADUC for the first time:

# ldbedit -H /usr/local/samba/private/sam.ldb -b \
  CN=samdom,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com
msSFU30MaxUidNumber: 10000
msSFU30MaxGidNumber: 10000