Difference between revisions of "Maintaining Unix Attributes in AD using ADUC"

m (Updated image file names)
(Updated link, Moved info about Unix attributes tab on W10/2016 to an important admonition)
Line 1: Line 1:
 
= Introduction =
 
= Introduction =
  
In the following we describe how to set/edit the RFC2307 attributes used by [[Idmap_config_ad|idmap_ad]]. This requires to have [[Setting_up_RFC2307_in_AD#Verifying_the_Domain_Controller_and_Active_Directory_Setup|NIS extensions]] installed in your AD and [[Setting_up_RFC2307_in_AD#Check_if_RFC2307_is_used_by_your_Domain_Controllers|RFC2307 enabled]] in each DCs smb.conf. Install the [[Installing RSAT|Remote Server Administration Tools (RSAT)]], if not already installed and enable the advanced view ("View" / "Advanced features"). Modifications on user and group objects will be done by the Domain Administrator, if you haven't set any [[Delegation/Account_management|delegations]]. Windows 10 users should notice that the "Unix Attributes" isn't part of the Active Directory User and Computers properties window. See [[Installing_RSAT#Note_about_RSAT_for_Windows_10_-_Server_for_NIS_Tools|Note about RSAT for Windows 10 - Server for NIS Tools]] for further details and workaround.
+
In the following we describe how to set/edit the RFC2307 attributes used by [[Idmap_config_ad|idmap_ad]]. This requires to have [[Setting_up_RFC2307_in_AD#Verifying_the_Domain_Controller_and_Active_Directory_Setup|NIS extensions]] installed in your AD and [[Setting_up_RFC2307_in_AD#Check_if_RFC2307_is_used_by_your_Domain_Controllers|RFC2307 enabled]] in each DCs smb.conf. Install the [[Installing RSAT|Remote Server Administration Tools (RSAT)]], if not already installed and enable the advanced view ("View" / "Advanced features"). Modifications on user and group objects will be done by the Domain Administrator, if you haven't set any [[Delegation/Account_management|delegations]].
 +
 
 +
{{Imbox
 +
| type = important
 +
| text = ADUC running on Windows 10 and Windows Server 2016 does no longer display the "Unix Attributes" tab in user or group properties. For details, see [[Installing_RSAT#Missing_Unix_Attributes_tab_in_ADUC_on_Windows_10_and_Windows_Server_2016|Missing Unix Attributes tab in ADUC on Windows 10 and Windows Server 2016]].
 +
}}
 +
 
 +
 
 +
 
 +
 
  
 
= Setting attributes on an user account =
 
= Setting attributes on an user account =

Revision as of 06:45, 1 June 2017

Introduction

In the following we describe how to set/edit the RFC2307 attributes used by idmap_ad. This requires to have NIS extensions installed in your AD and RFC2307 enabled in each DCs smb.conf. Install the Remote Server Administration Tools (RSAT), if not already installed and enable the advanced view ("View" / "Advanced features"). Modifications on user and group objects will be done by the Domain Administrator, if you haven't set any delegations.



Setting attributes on an user account

  • Open ADUC.
  • Right-click to a user account and choose properties.
  • Navigate to the "UNIX Attributes" tab.
Note: If you don't see this tab, you haven't installed the RSAT function "Server for NIS Tools".
  • When choosing the "NIS Domain", the other fields are getting enabled. Fill the values as required.
Hint: As primary group you can only choose groups, that have Unix attributes defined!
ADUC UNIX Attributes User.png
  • Click "OK" to save your changes.



Setting attributes on a group

  • Open ADUC.
  • Right-click to a group and choose properties.
  • Navigate to the "UNIX Attributes" tab.
Note: If the tab isn't visible, you haven't installed the RSAT function "Server for NIS Tools".
  • The other fields are not enabled until the "NIS Domain" is chosen, fill the values as required.
Hint: It's not required to add users to the group in this tab! Winbind retrieve the account membership from the Windows groups (see "Member Of"-tab).
ADUC UNIX Attributes Groups.png
  • Click "OK" to save your changes.



Defining the next UID/GID to use

Everytime a UID/GID is assigned using Active Directory Users and Computers (ADUC), the next UID/GID is stored inside the Active Directory. By default, ADUC starts assigning UIDs and GIDs at 10000

If you have setup a new Samba AD and want to use a different start value, before using ADUC for the first time, you need to add the counting attributes first:

# ldbedit -H /usr/local/samba/private/sam.ldb -b \
  CN=samdom,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com
msSFU30MaxUidNumber: 10000
msSFU30MaxGidNumber: 10000

With the same command you can change the values. E. g. if you require to start UIDs at 20000 and GIDs at 50000, adapt the values to your requirements:

msSFU30MaxUidNumber: 20000
msSFU30MaxGidNumber: 50000