Maintaining Unix Attributes in AD using ADUC

From SambaWiki
Revision as of 12:42, 12 October 2015 by Hortimech (talk | contribs) (→‎Defining the next UID/GID to use: updated instructions how to define storing next uid/gid in AD)
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

The actions described in this section require to have the NIS Extensions enabled. Additionally, the Windows Remote Server Administration Tools (RSAT) have to be installed. See the RSAT installation section, for installing all recommended modules. At least the functions "AD DS Tools" and "Server for NIS Tools" are required for the following steps!



Using ADUC to set Unix Attributes on a user account

  • Open ADUC.
  • Right-click to a user account and choose properties.
  • Navigate to the „UNIX Attributes“ tab.
Note: If you don't see this tab, you haven't installed the RSAT function "Server for NIS Tools".
  • When choosing the „NIS Domain“, the other fields are getting enabled. Fill the values as required.
Hint: As primary group you can only choose groups, that have Unix attributes defined!
File:ADUC Unix Attributes User.png
  • Click „OK“ to save your changes.



Using ADUC to set Unix Attributes on groups

  • Open ADUC.
  • Right-click to a group and choose properties.
  • Navigate to the „UNIX Attributes“ tab.
Note: If the tab isn't visible, you haven't installed the RSAT function "Server for NIS Tools".
  • The other fields are not enabled until the "NIS Domain" is chosen, fill the values as required.
Hint: It's not required to add users to the group in this tab! Winbind, sssd and nslcd retrieve the account membership from the Windows groups (see „Member Of“-tab).
File:ADUC Unix Attributes Groups.png
  • Click „OK“ to save your changes.



Defining the next UID/GID to use

Every time a UID/GID is assigned using Active Directory Users and Computers (ADUC), the next unused UID/GID is stored inside the Active Directory.

By default, Active Directory starts assigning UIDs & GIDs at 10000, but the required attributes are not installed as standard by Samba4, however they are easy to add:

# ldbedit -H /usr/local/samba/private/sam.ldb -b \
  CN=samdom,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com

Add the following two attributes and save the changes.

msSFU30MaxUidNumber: 10000
msSFU30MaxGidNumber: 10000

You do not need to use 10000 for the first UID/GID that will be assigned. E. g. if you require to start UIDs at 20000 and GID at 50000, change the values to your requirements:

msSFU30MaxUidNumber: 20000
msSFU30MaxGidNumber: 50000