Web lists-archives.com

Re: [Samba] User management scripts in AD mode...




On Fri, 23 Jun 2017 17:34:48 +0200
Marco Gaiarin via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
> 
> Sorry, i come back to that:
> 
> > Not sure what you are getting at here, if you add a user to a group
> > in AD, you not only get a record in the group object, you also get a
> > record in the users object
> > 
> > dn: CN=Unixgroup,CN=Users,DC=samdom,DC=example,DC=com
> > .....
> > member: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
> > 
> > dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
> > .....
> > memberOf: CN=Unixgroup,CN=Users,DC=samdom,DC=example,DC=com
> > 
> > So you don't have to modify the user at all, again samba-tool can do
> > things like this for you, see 'samba-tool group --help'
> 
> Because i've not clear how group management works in AD. I'm using
> 'Active Directory Users and Computers', so i think a pretty standard
> tool. Some question.
> 
> a) i've not found 'member' in user object.
> 
> b) membership are accounted in groups via the 'member' field in group
>  object. Membership are expressed as full user DN.
> 
> c) if, for the group object, i add some member in 'UNIX Attributes',
>  they are not saved (eg, if i add some user and i do 'Apply' and then
> 'OK', if i came back to the group, UNIX attributes membership are
> empty.
> 
> d) if, for a user, i set a primary group in 'Member of' (NOT UNIX
>  attributes), user object get a 'primaryGroupID' data with the RID of
> the group, and DESAPPEAR the relative data 'member' in the group.
> Argh!
> 
> 
> So, seems to me that:
> 
> 1) probably for my fault, some of the UNIX data (eg, group membership)
>  does not work. I think also can be irrilevant, because winbind/sssd
> get unix membership by other way (eg, ''windows'' mempership and not
> UNIX/rfc2203 ones).
> 
> 2) if i need to know what users belog to group 'X', i've to catch all
>  DN listed in 'member' of that group, AND all users that have
> as 'primaryGroupID' the RID of the group.
> 
> 
> I'm again a bit confused... ;-(((
> 

Yes I can see that ;-)
I can also see why, your problem is that you are using the Unix
attributes tab.

Lets see if can explain this ;-)

First and foremost, all your users are Windows users and your groups
are the same.

When you want a user to be a Unix user as well, you add the required
RFC2307 attributes, the same goes for groups.

Just use the 'Unix attributes' tab to add the required attributes and,
if you are using a version of Samba before 4.6.0, Ensure the primary
group is set to Domain Users, from 4.6.0, you can change it to any
group that has a gidNumber.

If you create a group, lets call ours 'unixgroup', you would first
create it as a Windows group, you would then add a gidNumber attribute
using the 'Unix attributes' tab for the group. The group 'unixgroup'
would then be a Windows group AND a Unix group.

Now this is where you are going wrong, you do not add Unix users to
a Unix group by using a 'Unix attributes' tab, you can, but it will
not do anything from a Unix perspective (or Windows, come to that). 

Remember what I said about all users & groups being Windows ones ? Just
add the Windows/Unix users to the Windows/Unix group using the standard
Windows tools and Unix will see them as Unix users of Unix groups

So, to shorten the above:
Create user & groups
Extend to Unix users & groups with the 'Unix attributes' tab
Pretend they are just Windows users when adding the users to a group.

Hope this helps, but feel free to ask any questions.

Rowland
 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba