Difference between revisions of "User and Group management"

From SambaWiki
m (Corrected wrong <tt> tag)
m (/* added example of how to create Unix group)
 
(3 intermediate revisions by 3 users not shown)
Line 3: Line 3:
   
 
== Adding Users into Samba Active Directory ==
 
== Adding Users into Samba Active Directory ==
add / delete users with samba-tool
 
Unlike Samba 3, Samba 4 does not require a local Unix user for each Samba user that is created.
 
   
  +
You add / delete users with samba-tool
example to add an User + Login Profile for fbaggins
 
This assume ADSMmeber been samba AD master / KDC and ADSMmeber Been used as Member server that stire the profile and shares
 
   
  +
Unlike Samba 3, running Samba 4 as an AD DC or Unix AD domain member does not require a local Unix user for each Samba user that is created.
<pre>
 
  +
$ samba-tool user add fbaggins
 
  +
An example of adding a User + Login Profile for the user <code>fbaggins</code>
   --random-password --use-username-as-cn
 
  +
   --surname="Baggins" --given-name="Frodo"
 
  +
This assumes that ADSMember is being used as a Unix Member server that stores the profile and shares and the new users password will be <code>P4ssw0rd*</code>
   --initials=S --mail-address=fbaggins@SAM.DOMAIN.LOCAL.
 
  +
   --company="Hobbiton Inc." --script-path=shire.bat
 
  +
$ samba-tool user create fbaggins P4ssw0rd*
   --profile-path=\\\\ADSMmeber.SAM.DOMAIN.LOCAL\\profiles\\fbaggins
 
  +
--use-username-as-cn --surname="Baggins"
   --home-drive=F
 
  +
--given-name="Frodo" --initials=S
   --home-directory=\\\\ADSMmeber.SAM.DOMAIN.LOCAL\\fbaggins
 
  +
--mail-address=fbaggins@samdom.example.com
   --job-title="Goes there and back again"
 
  +
--company="Hobbiton Inc." --script-path=shire.bat
  +
--profile-path=\\\\ADSMember.samdom.example.com\\profiles\\fbaggins
  +
--home-drive=F
  +
--home-directory=\\\\ADSMember.samdom.example.com\\fbaggins
  +
--job-title="Goes there and back again"
   
</pre>
 
   
  +
{{Imbox
To inspect the allocated user ID and SID, use the following command:
 
  +
| type = note
  +
| text = You do not need to supply all of the above options when creating a new user. For details of available options, run <code>samba-tool user create --help</code> in a terminal.
  +
}}
  +
  +
  +
To inspect the allocated user ID and SID, use the following commands:
   
 
$ wbinfo --name-to-sid USERNAME
 
$ wbinfo --name-to-sid USERNAME
Line 30: Line 37:
 
3000011
 
3000011
   
If you want to change this mapping, then use <tt>ldbedit</tt> on the <tt>/var/lib/samba/private/idmap.ldb</tt>, as shown:
 
   
$ ldbedit -e emacs -H /var/lib/samba/private/idmap.ldb objectsid=S-1-5-21-4036476082-4153129556-3089177936-1005
 
   
*Note: You can replace <tt>emacs</tt> with your editor of choice.
 
   
You will find records that look like this:
 
   
  +
=== samba-tool: Delete Users from Samba Active Directory ===
# record 1
 
dn: CN=S-1-5-21-4036476082-4153129556-3089177936-1005
 
cn: S-1-5-21-4036476082-4153129556-3089177936-1005
 
objectClass: sidMap
 
objectSid: S-1-5-21-4036476082-4153129556-3089177936-1005
 
type: ID_TYPE_BOTH
 
xidNumber: 3000011
 
distinguishedName: CN=S-1-5-21-4036476082-4153129556-3089177936-1005
 
   
  +
# samba-tool user delete username
If you change the <tt>xidNumber</tt> attribute and save your editor then exit,
 
then Samba will update the mapping to between the SID and the user
 
ID. Updating group mappings works in the same way.
 
   
  +
=== samba-tool: create a group in Samba Active Directory ===
   
  +
~# samba-tool group add groupname
  +
Added group groupname
   
  +
=== samba-tool: create a Unix group in Samba Active Directory ===
To create a Samba user, use the following command at ADSMmeber via ssh login as root :
 
   
  +
~# samba-tool group add groupname --nis-domain=samdom --gid-number=<next available GID>
$ samba-tool user add USERNAME
 
  +
Added group groupname
   
  +
=== samba-tool: delete a group from Samba Active Directory ===
   
  +
~# samba-tool group delete groupname
  +
Added group groupname
   
  +
=== samba-tool: add members to a group in Samba Active Directory ===
   
  +
~# samba-tool group addmembers "Domain Users" user[,otheruser[,thirduser[,...]]]
  +
Added members to group Domain Users
   
=== samba-tool- Delete Users from Samba Active Directory ===
+
=== samba-tool: remove members from a group in Samba Active Directory ===
   
  +
~# samba-tool group removemembers "Domain Users" user[,otheruser[,thirduser[,...]]]
# samba-tool user delete stduser
 
 
=== samba-tool -- create group from Samba Active Directory ===
 
 
<pre>
 
~# samba-tool group add stdgroup
 
Added group stdgroup
 
</pre>
 
 
=== samba-tool - delete group from Samba Active Directory ===
 
 
<pre>
 
~# samba-tool group delete stdgroup
 
Added group stdgroup
 
</pre>
 
 
=== samba-tool - group addmembers - Samba Active Directory ===
 
 
<pre>
 
~# samba-tool group removemembers "Domain Users" stduser
 
 
Removed members from group Domain Users
 
Removed members from group Domain Users
   
  +
=== samba-tool: list members of a group in Samba Active Directory ===
</pre>
 
   
=== samba-tool- group removemembers - Samba Active Directory ===
+
~# samba-tool group listmembers "Domain Users" | grep username
  +
user
   
  +
=== samba-tool: Create a user, create a group, add the user to the group in Samba Active Directory ===
<pre>
 
~# samba-tool group removemembers "Domain Users" stduser
 
Removed members from group Domain Users
 
   
  +
~# samba-tool user create username
</pre>
 
  +
User 'username' created successfully
 
 
=== samba-tool - group listmembers - Samba Active Directory ===
 
<pre>
 
~# samba-tool group listmembers "Domain Users" | grep stduser
 
stduser
 
</pre>
 
 
 
=== samba-tool - Create a user, create a group, add the user to the group - Samba Active Directory ===
 
 
<pre>
 
~# samba-tool user add stduser
 
User 'stduser' created successfully
 
 
 
~# samba-tool group add stdgroup
+
~# samba-tool group add groupname
Added group stdgroup
+
Added group groupname
  +
 
~# samba-tool group addmembers stdgroup stduser
+
~# samba-tool group addmembers groupname username
Added members to group stdgroup
+
Added members to group groupname
   
  +
----
</pre>
 
  +
[[Category:User Management]]

Latest revision as of 11:21, 22 April 2020

User and Group and Computer accountd management with samba-tool

Adding Users into Samba Active Directory

You add / delete users with samba-tool

Unlike Samba 3, running Samba 4 as an AD DC or Unix AD domain member does not require a local Unix user for each Samba user that is created.

An example of adding a User + Login Profile for the user fbaggins

This assumes that ADSMember is being used as a Unix Member server that stores the profile and shares and the new users password will be P4ssw0rd*

$ samba-tool user create fbaggins P4ssw0rd*
 --use-username-as-cn --surname="Baggins"
 --given-name="Frodo" --initials=S
 --mail-address=fbaggins@samdom.example.com
 --company="Hobbiton Inc." --script-path=shire.bat
 --profile-path=\\\\ADSMember.samdom.example.com\\profiles\\fbaggins
 --home-drive=F
 --home-directory=\\\\ADSMember.samdom.example.com\\fbaggins
 --job-title="Goes there and back again"



To inspect the allocated user ID and SID, use the following commands:

$ wbinfo --name-to-sid USERNAME
S-1-5-21-4036476082-4153129556-3089177936-1005 SID_USER (1)

$ wbinfo --sid-to-uid S-1-5-21-4036476082-4153129556-3089177936-1005
3000011



samba-tool: Delete Users from Samba Active Directory

# samba-tool user delete username

samba-tool: create a group in Samba Active Directory

~# samba-tool group add groupname
Added group groupname

samba-tool: create a Unix group in Samba Active Directory

~# samba-tool group add groupname --nis-domain=samdom --gid-number=<next available GID>
Added group groupname

samba-tool: delete a group from Samba Active Directory

~# samba-tool group delete groupname
Added group groupname

samba-tool: add members to a group in Samba Active Directory

~# samba-tool group addmembers "Domain Users" user[,otheruser[,thirduser[,...]]]
Added members to group Domain Users

samba-tool: remove members from a group in Samba Active Directory

~# samba-tool group removemembers "Domain Users" user[,otheruser[,thirduser[,...]]]
Removed members from group Domain Users

samba-tool: list members of a group in Samba Active Directory

~# samba-tool group listmembers "Domain Users" | grep username
 user

samba-tool: Create a user, create a group, add the user to the group in Samba Active Directory

~# samba-tool user create username
  User 'username' created successfully

~# samba-tool group add groupname
 Added group groupname

~# samba-tool group addmembers groupname username
 Added members to group groupname