Re: [Samba] [PATCH] allow to create Unix-UID/SID mapping in samba-tool user create

[Alexander Wuerstlein]

On Tue, 25 Sep 2012 15:49:11 +1000
Andrew Bartlett abart...@samba.org wrote:

 On Tue, 2012-09-25 at 00:19 +0200, Alexander Wuerstlein wrote:
  From: Alexander Wuerstlein a...@arw.name
  
  Reads Unix UID from NSS or commandline and creates a
  UID/SID mapping when creating a new user.
 
 As Gémes Géza mentions this really needs to honour idmap_ldb:use
 rfc2307 = yes and set it in the sam.ldb if that is set, and while
 useful in the general case, for the case you are targeting, the
 classicupgrade will work better.

Classicupgrade would only handle the initial import, not later addition
of users which is the more frequent case here. But idmap_ldb:use
rfc2307 = yes seems to work fine, and it seems to be a lot less ugly
than fiddling with idmap.ldb.

I'll try to get samba-tool to create the RFC2307 attributes and send a
patch if its not too ugly.


Ciao,

Alexander Wuerstlein.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] [PATCH] allow to create Unix-UID/SID mapping in samba-tool user create

[Gémes Géza]

2012-09-25 11:58 keltezéssel, Alexander Wuerstlein írta:

On Tue, 25 Sep 2012 15:49:11 +1000
Andrew Bartlett abart...@samba.org wrote:


On Tue, 2012-09-25 at 00:19 +0200, Alexander Wuerstlein wrote:

From: Alexander Wuerstlein a...@arw.name

Reads Unix UID from NSS or commandline and creates a
UID/SID mapping when creating a new user.

As Gémes Géza mentions this really needs to honour idmap_ldb:use
rfc2307 = yes and set it in the sam.ldb if that is set, and while
useful in the general case, for the case you are targeting, the
classicupgrade will work better.

Classicupgrade would only handle the initial import, not later addition
of users which is the more frequent case here. But idmap_ldb:use
rfc2307 = yes seems to work fine, and it seems to be a lot less ugly
than fiddling with idmap.ldb.

I'll try to get samba-tool to create the RFC2307 attributes and send a
patch if its not too ugly.


Ciao,

Alexander Wuerstlein.

Hi,

Just a suggestion:

In my homemade (I hadn't time to develop a proper patch with tests) bash 
scripts I look for the RID part of the newly created users SID and 
search for the uidNumber and gidNumber attributes with that value. If 
none found assign it as uidNumber or gidNumber dependending on if a user 
or group is going to be created. If the given RID has been assigned as 
an uidNumber or gidNumber increment it and then try again, until it 
isn't in use.


Cheers

Geza Gemes
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] [PATCH] allow to create Unix-UID/SID mapping in samba-tool user create

[Alexander Wuerstlein]

From: Alexander Wuerstlein a...@arw.name

Reads Unix UID from NSS or commandline and creates a
UID/SID mapping when creating a new user.
---
 source4/scripting/python/samba/netcmd/user.py |   38 
 1 files changed, 31 insertions(+), 7 deletions(-)

diff --git a/source4/scripting/python/samba/netcmd/user.py 
b/source4/scripting/python/samba/netcmd/user.py
index 1172f4e..44a37fd 100644
--- a/source4/scripting/python/samba/netcmd/user.py
+++ b/source4/scripting/python/samba/netcmd/user.py
@@ -22,6 +22,8 @@ import ldb
 from getpass import getpass
 from samba.auth import system_session
 from samba.samdb import SamDB
+from samba.idmap import IDmapDB
+import pwd
 from samba import (
 dsdb,
 gensec,
@@ -48,6 +50,8 @@ A user account enables a user to logon to a computer and 
domain with an identity
 
 The command may be run from the root userid or another authorized userid.  The 
-H or --URL= option can be used to execute the command against a remote server.
 
+With --match-unix-uid a SID/UID-mapping is created for the new user which is 
used to map filesystem permissions from Unix filesystems to Windows. 
Optionally, a UID can be explicitly given via --unix-uid, without an explicit 
UID NSS is used to obtain the UID if possible. Creation of a SID/UID-mapping is 
not possible when running samba-tool on a remote server.
+
 Example1:
 samba-tool user add User1 passw0rd --given-name=John --surname=Smith 
--must-change-at-next-login -H ldap://samba.samdom.example.com 
-Uadministrator%passw1rd
 
@@ -63,6 +67,11 @@ samba-tool user add User3 passw3rd --userou=OrgUnit
 
 Example3 shows how to create a new user in the OrgUnit organizational unit.
 
+Example4:
+samba-tool user create unixgod passw4rd --match-unix-uid --unix-uid 31337
+
+Example4 shows how to create a new user and map his windows SID to his Unix 
UID 31337.
+
 
 synopsis = %prog username [password] [options]
 
@@ -96,6 +105,8 @@ Example3 shows how to create a new user in the OrgUnit 
organizational unit.
 Option(--internet-address, help=User's home page, type=str),
 Option(--telephone-number, help=User's phone number, type=str),
 Option(--physical-delivery-office, help=User's office location, 
type=str),
+Option(--match-unix-uid, help=Set User's Unix UID from NSS or from 
--unix-uid, action=store_true),
+Option(--unix-uid, help=Unix UID of the new user, type=str),
 ]
 
 takes_args = [username, password?]
@@ -107,13 +118,12 @@ Example3 shows how to create a new user in the OrgUnit 
organizational unit.
 }
 
 def run(self, username, password=None, credopts=None, sambaopts=None,
-versionopts=None, H=None, must_change_at_next_login=False,
-random_password=False, use_username_as_cn=False, userou=None,
-surname=None, given_name=None, initials=None, profile_path=None,
-script_path=None, home_drive=None, home_directory=None,
+versionopts=None, H=None, must_change_at_next_login=False, 
random_password=False,
+use_username_as_cn=False, userou=None, surname=None, 
given_name=None, initials=None,
+profile_path=None, script_path=None, home_drive=None, 
home_directory=None,
 job_title=None, department=None, company=None, description=None,
-mail_address=None, internet_address=None, telephone_number=None,
-physical_delivery_office=None):
+mail_address=None, internet_address=None, telephone_number=None, 
physical_delivery_office=None,
+match_unix_uid=False, unix_uid=None):
 
 if random_password:
 password = generate_random_password(128, 255)
@@ -133,12 +143,26 @@ Example3 shows how to create a new user in the OrgUnit 
organizational unit.
 try:
 samdb = SamDB(url=H, session_info=system_session(),
   credentials=creds, lp=lp)
-samdb.newuser(username, password, 
force_password_change_at_next_login_req=must_change_at_next_login,
+samdb.newuser(username, password,
+  
force_password_change_at_next_login_req=must_change_at_next_login,
   useusernameascn=use_username_as_cn, userou=userou, 
surname=surname, givenname=given_name, initials=initials,
   profilepath=profile_path, homedrive=home_drive, 
scriptpath=script_path, homedirectory=home_directory,
   jobtitle=job_title, department=department, 
company=company, description=description,
   mailaddress=mail_address, 
internetaddress=internet_address,
   telephonenumber=telephone_number, 
physicaldeliveryoffice=physical_delivery_office)
+if match_unix_uid:
+   idmap = IDmapDB(lp=lp)
+   sids = samdb.search(samdb.get_default_basedn(), 
scope=ldb.SCOPE_SUBTREE,
+   expression=(((objectClass=user)(samaccountname=%s)) 

Re: [Samba] [PATCH] allow to create Unix-UID/SID mapping in samba-tool user create

[Andrew Bartlett]

On Tue, 2012-09-25 at 00:19 +0200, Alexander Wuerstlein wrote:
 From: Alexander Wuerstlein a...@arw.name
 
 Reads Unix UID from NSS or commandline and creates a
 UID/SID mapping when creating a new user.

As Gémes Géza mentions this really needs to honour idmap_ldb:use rfc2307
= yes and set it in the sam.ldb if that is set, and while useful in the
general case, for the case you are targeting, the classicupgrade will
work better.

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba