Difference between revisions of "Maintaining Unix Attributes in AD using ADUC"

m (Fix link)
m (Defining the next UID/GID to use: updated instructions how to define storing next uid/gid in AD)
Line 49: Line 49:
 
Every time a UID/GID is assigned using Active Directory Users and Computers (ADUC), <u>the next</u> unused UID/GID is stored inside the Active Directory.
 
Every time a UID/GID is assigned using Active Directory Users and Computers (ADUC), <u>the next</u> unused UID/GID is stored inside the Active Directory.
  
By default, Active Directory starts assigning UIDs & GIDs at 10000.
+
By default, Active Directory starts assigning UIDs & GIDs at 10000, but the required attributes are not installed as standard by Samba4, however they are easy to add:
  
You can change the next UID/GID that will be assigned. E. g. if you require to start UIDs at 20000 and GID at 50000, change the values on a Domain Controller:
+
# ldbedit -H /usr/local/samba/private/sam.ldb -b \
 +
  CN=samdom,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com
  
# ldbedit -H /usr/local/samba/private/sam.ldb -b CN=samdom,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com
+
Add the following two attributes and save the changes.
  
Adapt the following two attributes to your needs and save the changes.
+
msSFU30MaxUidNumber: 10000
 +
msSFU30MaxGidNumber: 10000
 +
 
 +
You do not need to use 10000 for the first UID/GID that will be assigned. E. g. if you require to start UIDs at 20000 and GID at 50000, change the values to your requirements:
  
 
  msSFU30MaxUidNumber: 20000
 
  msSFU30MaxUidNumber: 20000
 
  msSFU30MaxGidNumber: 50000
 
  msSFU30MaxGidNumber: 50000

Revision as of 12:42, 12 October 2015

The actions described in this section require to have the NIS Extensions enabled. Additionally, the Windows Remote Server Administration Tools (RSAT) have to be installed. See the RSAT installation section, for installing all recommended modules. At least the functions "AD DS Tools" and "Server for NIS Tools" are required for the following steps!



Using ADUC to set Unix Attributes on a user account

  • Open ADUC.
  • Right-click to a user account and choose properties.
  • Navigate to the „UNIX Attributes“ tab.
Note: If you don't see this tab, you haven't installed the RSAT function "Server for NIS Tools".
  • When choosing the „NIS Domain“, the other fields are getting enabled. Fill the values as required.
Hint: As primary group you can only choose groups, that have Unix attributes defined!
File:ADUC Unix Attributes User.png
  • Click „OK“ to save your changes.



Using ADUC to set Unix Attributes on groups

  • Open ADUC.
  • Right-click to a group and choose properties.
  • Navigate to the „UNIX Attributes“ tab.
Note: If the tab isn't visible, you haven't installed the RSAT function "Server for NIS Tools".
  • The other fields are not enabled until the "NIS Domain" is chosen, fill the values as required.
Hint: It's not required to add users to the group in this tab! Winbind, sssd and nslcd retrieve the account membership from the Windows groups (see „Member Of“-tab).
File:ADUC Unix Attributes Groups.png
  • Click „OK“ to save your changes.



Defining the next UID/GID to use

Every time a UID/GID is assigned using Active Directory Users and Computers (ADUC), the next unused UID/GID is stored inside the Active Directory.

By default, Active Directory starts assigning UIDs & GIDs at 10000, but the required attributes are not installed as standard by Samba4, however they are easy to add:

# ldbedit -H /usr/local/samba/private/sam.ldb -b \
  CN=samdom,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com

Add the following two attributes and save the changes.

msSFU30MaxUidNumber: 10000
msSFU30MaxGidNumber: 10000

You do not need to use 10000 for the first UID/GID that will be assigned. E. g. if you require to start UIDs at 20000 and GID at 50000, change the values to your requirements:

msSFU30MaxUidNumber: 20000
msSFU30MaxGidNumber: 50000