Maintaining Unix Attributes in AD using ADUC

From SambaWiki
Revision as of 20:55, 25 August 2015 by Mmuehlfeld (talk | contribs) (Splitted this content from the "Using RFC2307" page)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

The actions described in this section require to have the NIS Extensions enabled. Additionally, the Windows Remote Server Administration Tools (RSAT) have to be installed. See the RSAT installation section, for installing all recommended modules. At least the functions "AD DS Tools" and "Server for NIS Tools" are required for the following steps!



Using ADUC to set Unix Attributes on a user account

  • Open ADUC.
  • Right-click to a user account and choose properties.
  • Navigate to the „UNIX Attributes“ tab.
Note: If you don't see this tab, you haven't installed the RSAT function "Server for NIS Tools".
  • When choosing the „NIS Domain“, the other fields are getting enabled. Fill the values as required.
Hint: As primary group you can only choose groups, that have Unix attributes defined!
File:ADUC Unix Attributes User.png
  • Click „OK“ to save your changes.



Using ADUC to set Unix Attributes on groups

  • Open ADUC.
  • Right-click to a group and choose properties.
  • Navigate to the „UNIX Attributes“ tab.
Note: If the tab isn't visible, you haven't installed the RSAT function "Server for NIS Tools".
  • The other fields are not enabled until the "NIS Domain" is chosen, fill the values as required.
Hint: It's not required to add users to the group in this tab! Winbind, sssd and nslcd retrieve the account membership from the Windows groups (see „Member Of“-tab).
File:ADUC Unix Attributes Groups.png
  • Click „OK“ to save your changes.



Defining the next UID/GID to use

Every time a UID/GID is assigned using Active Directory Users and Computers (ADUC), the next unused UID/GID is stored inside the Active Directory.

By default, Active Directory starts assigning UIDs & GIDs at 10000.

You can change the next UID/GID that will be assigned. E. g. if you require to start UIDs at 20000 and GID at 50000, change the values on a Domain Controller:

# ldbedit -H /usr/local/samba/private/sam.ldb -b CN=samdom,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com

Adapt the following two attributes to your needs and save the changes.

msSFU30MaxUidNumber: 20000
msSFU30MaxGidNumber: 50000