Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] creating new users - missing uidNumber
599 views
Skip to first unread message
Stefan G. Weichinger via samba
Feb 1, 2017, 6:00:03 AM2/1/17
to
Customer admin added 2 users via the Windows "users and groups" tool.
These 2 couldn't connect to an ADS member server.
My observation:
their xidnumber was way higher than that of an existing/working user
and they missed the attribute uidNumber
I did an ldbedit and added uidnumbers, now it works.
How to make that work from start?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny via samba
Feb 1, 2017, 6:30:02 AM2/1/17
to
On Wed, 1 Feb 2017 11:48:44 +0100
"Stefan G. Weichinger via samba" <sa...@lists.samba.org> wrote:
>
> Customer admin added 2 users via the Windows "users and groups" tool.
>
> These 2 couldn't connect to an ADS member server.
>
> My observation:
>
> their xidnumber was way higher than that of an existing/working user
> and they missed the attribute uidNumber
>
> I did an ldbedit and added uidnumbers, now it works.
>
> How to make that work from start?
>
>
ADUC never added uidNumbers automatically, you had to use the Unix
"Stefan G. Weichinger via samba" <sa...@lists.samba.org> wrote:
>
> Customer admin added 2 users via the Windows "users and groups" tool.
>
> These 2 couldn't connect to an ADS member server.
>
> My observation:
>
> their xidnumber was way higher than that of an existing/working user
> and they missed the attribute uidNumber
>
> I did an ldbedit and added uidnumbers, now it works.
>
> How to make that work from start?
>
>
Attributes tab, but this no longer exists on windows 10, you have to
use the 'attributes' tab
The only way (that I know) to create a user with a uidNumber, is to
use samba-tool, run 'samba-tool user create --help' for more info.
Rowland
Stefan G. Weichinger via samba
Feb 1, 2017, 8:40:03 AM2/1/17
to
Am 2017-02-01 um 12:19 schrieb Rowland Penny via samba:
> ADUC never added uidNumbers automatically, you had to use the Unix
> Attributes tab, but this no longer exists on windows 10, you have to
> use the 'attributes' tab
>
> The only way (that I know) to create a user with a uidNumber, is to
> use samba-tool, run 'samba-tool user create --help' for more info.
So samba-tool is the way to go?
> ADUC never added uidNumbers automatically, you had to use the Unix
> Attributes tab, but this no longer exists on windows 10, you have to
> use the 'attributes' tab
>
> The only way (that I know) to create a user with a uidNumber, is to
> use samba-tool, run 'samba-tool user create --help' for more info.
I had the impression that even a testuser created with that did miss
that attribute ... I will check than asap.
thanks
L.P.H. van Belle via samba
Feb 1, 2017, 9:00:02 AM2/1/17
to
And a good read here:
https://blogs.technet.microsoft.com/activedirectoryua/2016/02/09/identity-management-for-unix-idmu-is-deprecated-in-windows-server/
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Rowland Penny via
> samba
> Verzonden: woensdag 1 februari 2017 14:49
> Aan: sa...@lists.samba.org
> Onderwerp: Re: [Samba] creating new users - missing uidNumber
>
> On Wed, 1 Feb 2017 14:33:09 +0100
> without a uidNumber. See example5 from 'samba-tool user create --help'
> for how to create a user with a uidNumber, but there is a gotcha, you
> will need to track the next uidNumber or gidNumber yourself.
>
> Rowland
https://blogs.technet.microsoft.com/activedirectoryua/2016/02/09/identity-management-for-unix-idmu-is-deprecated-in-windows-server/
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Rowland Penny via
> samba
> Verzonden: woensdag 1 februari 2017 14:49
> Aan: sa...@lists.samba.org
> Onderwerp: Re: [Samba] creating new users - missing uidNumber
>
> On Wed, 1 Feb 2017 14:33:09 +0100
> > Am 2017-02-01 um 12:19 schrieb Rowland Penny via samba:
> >
> > > ADUC never added uidNumbers automatically, you had to use the Unix
> > > Attributes tab, but this no longer exists on windows 10, you have to
> > > use the 'attributes' tab
> > >
> > > The only way (that I know) to create a user with a uidNumber, is to
> > > use samba-tool, run 'samba-tool user create --help' for more info.
> >
> > So samba-tool is the way to go?
> > I had the impression that even a testuser created with that did miss
> > that attribute ... I will check than asap.
> >
> > thanks
> >
> >
>
> If you just run 'samba-tool user create testuser' you will get a user
> >
> > > ADUC never added uidNumbers automatically, you had to use the Unix
> > > Attributes tab, but this no longer exists on windows 10, you have to
> > > use the 'attributes' tab
> > >
> > > The only way (that I know) to create a user with a uidNumber, is to
> > > use samba-tool, run 'samba-tool user create --help' for more info.
> >
> > So samba-tool is the way to go?
> > I had the impression that even a testuser created with that did miss
> > that attribute ... I will check than asap.
> >
> > thanks
> >
> >
>
> without a uidNumber. See example5 from 'samba-tool user create --help'
> for how to create a user with a uidNumber, but there is a gotcha, you
> will need to track the next uidNumber or gidNumber yourself.
>
> Rowland
Rowland Penny via samba
Feb 1, 2017, 9:00:03 AM2/1/17
to
On Wed, 1 Feb 2017 14:33:09 +0100
> Am 2017-02-01 um 12:19 schrieb Rowland Penny via samba:
>
> > ADUC never added uidNumbers automatically, you had to use the Unix
> > Attributes tab, but this no longer exists on windows 10, you have to
> > use the 'attributes' tab
> >
> > The only way (that I know) to create a user with a uidNumber, is to
> > use samba-tool, run 'samba-tool user create --help' for more info.
>
> So samba-tool is the way to go?
> I had the impression that even a testuser created with that did miss
> that attribute ... I will check than asap.
>
> thanks
>
>
>
> > ADUC never added uidNumbers automatically, you had to use the Unix
> > Attributes tab, but this no longer exists on windows 10, you have to
> > use the 'attributes' tab
> >
> > The only way (that I know) to create a user with a uidNumber, is to
> > use samba-tool, run 'samba-tool user create --help' for more info.
>
> So samba-tool is the way to go?
> I had the impression that even a testuser created with that did miss
> that attribute ... I will check than asap.
>
> thanks
>
>
If you just run 'samba-tool user create testuser' you will get a user
without a uidNumber. See example5 from 'samba-tool user create --help'
for how to create a user with a uidNumber, but there is a gotcha, you
will need to track the next uidNumber or gidNumber yourself.
Rowland
without a uidNumber. See example5 from 'samba-tool user create --help'
for how to create a user with a uidNumber, but there is a gotcha, you
will need to track the next uidNumber or gidNumber yourself.
Rowland
Stefan G. Weichinger via samba
Feb 1, 2017, 9:30:02 AM2/1/17
to
Am 2017-02-01 um 14:53 schrieb L.P.H. van Belle via samba:
> And a good read here:
>
> https://blogs.technet.microsoft.com/activedirectoryua/2016/02/09/identity-management-for-unix-idmu-is-deprecated-in-windows-server/
will read in the next days, thanks
> And a good read here:
>
> https://blogs.technet.microsoft.com/activedirectoryua/2016/02/09/identity-management-for-unix-idmu-is-deprecated-in-windows-server/
Stefan G. Weichinger via samba
Feb 1, 2017, 9:30:02 AM2/1/17
to
Am 2017-02-01 um 14:49 schrieb Rowland Penny via samba:
> If you just run 'samba-tool user create testuser' you will get a user
> without a uidNumber. See example5 from 'samba-tool user create --help'
> for how to create a user with a uidNumber, but there is a gotcha, you
> will need to track the next uidNumber or gidNumber yourself.
yes, we figured that out and tested it already, thanks
> If you just run 'samba-tool user create testuser' you will get a user
> without a uidNumber. See example5 from 'samba-tool user create --help'
> for how to create a user with a uidNumber, but there is a gotcha, you
> will need to track the next uidNumber or gidNumber yourself.
I will write some script or alias to read the highest uidnumber from
LDAP for their admin.
A bit strange to have to do that, but it seems to be so for samba domain
servers, right?
Rowland Penny via samba
Feb 1, 2017, 9:40:03 AM2/1/17
to
On Wed, 1 Feb 2017 15:20:47 +0100
will probably not have) which will store the next uid & gidNumber.
these are 'msSFU30MaxUidNumber' & 'msSFU30MaxGidNumber' and they
should/can be here:
dn:
CN=samdom,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com
Rowland
> Am 2017-02-01 um 14:49 schrieb Rowland Penny via samba:
>
> > If you just run 'samba-tool user create testuser' you will get a
> > user without a uidNumber. See example5 from 'samba-tool user create
> > --help' for how to create a user with a uidNumber, but there is a
> > gotcha, you will need to track the next uidNumber or gidNumber
> > yourself.
>
> yes, we figured that out and tested it already, thanks
>
> I will write some script or alias to read the highest uidnumber from
> LDAP for their admin.
>
> A bit strange to have to do that, but it seems to be so for samba
> domain servers, right?
>
>
>
You don't need to do that, there are a couple of attributes (which you
>
> > If you just run 'samba-tool user create testuser' you will get a
> > user without a uidNumber. See example5 from 'samba-tool user create
> > --help' for how to create a user with a uidNumber, but there is a
> > gotcha, you will need to track the next uidNumber or gidNumber
> > yourself.
>
> yes, we figured that out and tested it already, thanks
>
> I will write some script or alias to read the highest uidnumber from
> LDAP for their admin.
>
> A bit strange to have to do that, but it seems to be so for samba
> domain servers, right?
>
>
>
will probably not have) which will store the next uid & gidNumber.
these are 'msSFU30MaxUidNumber' & 'msSFU30MaxGidNumber' and they
should/can be here:
dn:
CN=samdom,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com
Rowland
Stefan G. Weichinger via samba
Feb 2, 2017, 5:10:03 AM2/2/17
to
Am 2017-02-01 um 15:32 schrieb Rowland Penny via samba:
> You don't need to do that, there are a couple of attributes (which you
> will probably not have) which will store the next uid & gidNumber.
> these are 'msSFU30MaxUidNumber' & 'msSFU30MaxGidNumber' and they
> should/can be here:
> dn:
> CN=samdom,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com
Well, I have to "grep" them somewhere as well, right?
> You don't need to do that, there are a couple of attributes (which you
> will probably not have) which will store the next uid & gidNumber.
> these are 'msSFU30MaxUidNumber' & 'msSFU30MaxGidNumber' and they
> should/can be here:
> dn:
> CN=samdom,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com
Or can I point their admin to some spot in his Windows-Tools (RSAT) to
read that?
feels a bit strange to have to take care of these details
I mean, ADS stores dozens of awkward values etc and then I as admin have
to keep track of that one attribute?
sorry, no ranting, just wondering.
thanks for your help.
Rowland Penny via samba
Feb 2, 2017, 5:30:03 AM2/2/17
to
On Thu, 2 Feb 2017 11:01:06 +0100
that are used, but ADUC has the code to use them, samba-tool doesn't!
Rowland
> Am 2017-02-01 um 15:32 schrieb Rowland Penny via samba:
>
> > You don't need to do that, there are a couple of attributes (which
> > you will probably not have) which will store the next uid &
> > gidNumber. these are 'msSFU30MaxUidNumber' & 'msSFU30MaxGidNumber'
> > and they should/can be here:
> > dn:
> > CN=samdom,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com
>
> Well, I have to "grep" them somewhere as well, right?
> Or can I point their admin to some spot in his Windows-Tools (RSAT) to
> read that?
>
> feels a bit strange to have to take care of these details
>
> I mean, ADS stores dozens of awkward values etc and then I as admin
> have to keep track of that one attribute?
>
> sorry, no ranting, just wondering.
> thanks for your help.
>
>
If you use the Unix Attributes tab on ADUC, these are the attributes
>
> > You don't need to do that, there are a couple of attributes (which
> > you will probably not have) which will store the next uid &
> > gidNumber. these are 'msSFU30MaxUidNumber' & 'msSFU30MaxGidNumber'
> > and they should/can be here:
> > dn:
> > CN=samdom,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com
>
> Well, I have to "grep" them somewhere as well, right?
> Or can I point their admin to some spot in his Windows-Tools (RSAT) to
> read that?
>
> feels a bit strange to have to take care of these details
>
> I mean, ADS stores dozens of awkward values etc and then I as admin
> have to keep track of that one attribute?
>
> sorry, no ranting, just wondering.
> thanks for your help.
>
>
that are used, but ADUC has the code to use them, samba-tool doesn't!
Rowland
Stefan G. Weichinger via samba
Feb 2, 2017, 6:00:03 AM2/2/17
to
Am 2017-02-02 um 11:25 schrieb Rowland Penny via samba:
> If you use the Unix Attributes tab on ADUC, these are the attributes
> that are used, but ADUC has the code to use them, samba-tool doesn't!
I (try to) see it from the user perspective:
> If you use the Unix Attributes tab on ADUC, these are the attributes
> that are used, but ADUC has the code to use them, samba-tool doesn't!
I as user want to create users that work in all my ADS-domain, on all of
my samba-domain-member-servers, with as little overhead or additional
administrative steps necessary.
And I ask for how to do that.
If we have to create users on ADUC, ok with me.
If it is better to create them with samba-tool, ok as well.
-> searching for the recommended way or "best practice"
Rowland Penny via samba
Feb 2, 2017, 6:20:03 AM2/2/17
to
On Thu, 2 Feb 2017 11:55:11 +0100
I have proposed patches to make samba-tool work more like ADUC, but
they have been rejected because 'we want to do something different',
but the 'different way' never appears.
Rowland
> Am 2017-02-02 um 11:25 schrieb Rowland Penny via samba:
>
> > If you use the Unix Attributes tab on ADUC, these are the attributes
> > that are used, but ADUC has the code to use them, samba-tool
> > doesn't!
>
> I (try to) see it from the user perspective:
>
> I as user want to create users that work in all my ADS-domain, on all
> of my samba-domain-member-servers, with as little overhead or
> additional administrative steps necessary.
>
> And I ask for how to do that.
>
> If we have to create users on ADUC, ok with me.
> If it is better to create them with samba-tool, ok as well.
>
> -> searching for the recommended way or "best practice"
>
Sorry, but you are preaching to the converted here ;-)
>
> > If you use the Unix Attributes tab on ADUC, these are the attributes
> > that are used, but ADUC has the code to use them, samba-tool
> > doesn't!
>
> I (try to) see it from the user perspective:
>
> I as user want to create users that work in all my ADS-domain, on all
> of my samba-domain-member-servers, with as little overhead or
> additional administrative steps necessary.
>
> And I ask for how to do that.
>
> If we have to create users on ADUC, ok with me.
> If it is better to create them with samba-tool, ok as well.
>
> -> searching for the recommended way or "best practice"
>
I have proposed patches to make samba-tool work more like ADUC, but
they have been rejected because 'we want to do something different',
but the 'different way' never appears.
Rowland
mj via samba
Feb 2, 2017, 6:30:03 AM2/2/17
to
Hi,
On 02/02/2017 11:55 AM, Stefan G. Weichinger via samba wrote:
> If we have to create users on ADUC, ok with me.
> If it is better to create them with samba-tool, ok as well.
We have been using ADUC for years now. Working out nicely. ;-)
As an alternative, we were using ldap-account-manager (lam) for our
samba3 domain and samba4 AD in the past, and is also did a good job.
MJ
On 02/02/2017 11:55 AM, Stefan G. Weichinger via samba wrote:
> If we have to create users on ADUC, ok with me.
> If it is better to create them with samba-tool, ok as well.
As an alternative, we were using ldap-account-manager (lam) for our
samba3 domain and samba4 AD in the past, and is also did a good job.
MJ
Stefan G. Weichinger via samba
Feb 2, 2017, 9:30:03 AM2/2/17
to
Am 2017-02-02 um 12:11 schrieb Rowland Penny via samba:
> On Thu, 2 Feb 2017 11:55:11 +0100
> "Stefan G. Weichinger via samba" <sa...@lists.samba.org> wrote:
>> -> searching for the recommended way or "best practice"
> Sorry, but you are preaching to the converted here ;-)
>
> I have proposed patches to make samba-tool work more like ADUC, but
> they have been rejected because 'we want to do something different',
> but the 'different way' never appears.
Oh, I see. So I am not the lazy user not willing to understand ;-)
> On Thu, 2 Feb 2017 11:55:11 +0100
> "Stefan G. Weichinger via samba" <sa...@lists.samba.org> wrote:
>> -> searching for the recommended way or "best practice"
> Sorry, but you are preaching to the converted here ;-)
>
> I have proposed patches to make samba-tool work more like ADUC, but
> they have been rejected because 'we want to do something different',
> but the 'different way' never appears.
Stefan G. Weichinger via samba
Feb 2, 2017, 9:30:03 AM2/2/17
to
Am 2017-02-02 um 12:19 schrieb mj via samba:
> Hi,
>
> On 02/02/2017 11:55 AM, Stefan G. Weichinger via samba wrote:
>> If we have to create users on ADUC, ok with me.
>> If it is better to create them with samba-tool, ok as well.
>
> We have been using ADUC for years now. Working out nicely. ;-)
without uidNumber?
> Hi,
>
> On 02/02/2017 11:55 AM, Stefan G. Weichinger via samba wrote:
>> If we have to create users on ADUC, ok with me.
>> If it is better to create them with samba-tool, ok as well.
>
> We have been using ADUC for years now. Working out nicely. ;-)
Or by setting it manually in that tab somewhere? Haven't seen it yet
myself because the installation is remote and no time for that so far
(and their admin is off today etc etc)
> As an alternative, we were using ldap-account-manager (lam) for our
> samba3 domain and samba4 AD in the past, and is also did a good job.
mj via samba
Feb 2, 2017, 10:50:02 AM2/2/17
to
On 02/02/2017 03:25 PM, Stefan G. Weichinger via samba wrote:
> Or by setting it manually in that tab somewhere?
I guess in future ADUC versions, we will start having problems with
that, as microsoft is no longer providing the unix extensions for aduc.
For now it works nicely.
MJ
Jeremy Allison via samba
Feb 2, 2017, 2:00:05 PM2/2/17
to
On Thu, Feb 02, 2017 at 11:11:29AM +0000, Rowland Penny via samba wrote:
> On Thu, 2 Feb 2017 11:55:11 +0100
> "Stefan G. Weichinger via samba" <sa...@lists.samba.org> wrote:
>
> > Am 2017-02-02 um 11:25 schrieb Rowland Penny via samba:
> >
> > > If you use the Unix Attributes tab on ADUC, these are the attributes
> > > that are used, but ADUC has the code to use them, samba-tool
> > > doesn't!
> >
> > I (try to) see it from the user perspective:
> >
> > I as user want to create users that work in all my ADS-domain, on all
> > of my samba-domain-member-servers, with as little overhead or
> > additional administrative steps necessary.
> >
> > And I ask for how to do that.
> >
> > If we have to create users on ADUC, ok with me.
> > If it is better to create them with samba-tool, ok as well.
> >
> > -> searching for the recommended way or "best practice"
> >
>
> Sorry, but you are preaching to the converted here ;-)
>
> I have proposed patches to make samba-tool work more like ADUC, but
> they have been rejected because 'we want to do something different',
> but the 'different way' never appears.
Please don't be discouraged (sorry). Try again proposing
> On Thu, 2 Feb 2017 11:55:11 +0100
> "Stefan G. Weichinger via samba" <sa...@lists.samba.org> wrote:
>
> > Am 2017-02-02 um 11:25 schrieb Rowland Penny via samba:
> >
> > > If you use the Unix Attributes tab on ADUC, these are the attributes
> > > that are used, but ADUC has the code to use them, samba-tool
> > > doesn't!
> >
> > I (try to) see it from the user perspective:
> >
> > I as user want to create users that work in all my ADS-domain, on all
> > of my samba-domain-member-servers, with as little overhead or
> > additional administrative steps necessary.
> >
> > And I ask for how to do that.
> >
> > If we have to create users on ADUC, ok with me.
> > If it is better to create them with samba-tool, ok as well.
> >
> > -> searching for the recommended way or "best practice"
> >
>
> Sorry, but you are preaching to the converted here ;-)
>
> I have proposed patches to make samba-tool work more like ADUC, but
> they have been rejected because 'we want to do something different',
> but the 'different way' never appears.
the patch ('cos it's dropped off my inbox list) and let's
get the discussion going again.
Working code should trump imaginary design work :-).
Will be a bit intermittent responding for the next
week or so, I'm out at FOSDEM and then visiting
family in Sheffield (sorry I can't get to visit,
time schedule is very strict this time, and I
have my brother's family computers to fix :-).
Cheers,
Jeremy.
Rowland Penny via samba
Feb 2, 2017, 2:10:03 PM2/2/17
to
like 'this could be better' or 'try doing it this way, it was 'we
should do it another way because of multiple domains and all of them
possibly having the same range' even though this is how ADUC works now.
Rowland
0 new messages