Condividi tramite


Getting AD Lookup to work without UNIX Attributes tab

Getting AD Lookup to work without UNIX Attributes tab

The previous post talks about how to get the UNIX Attributes tab to work without installing IdMU components. In this post, I would like to talk about what attributes the NFS components expect to be populated in AD for user and group object before it can recognize them and use the information.

The UNIX Attributes tab populate a lot of other attributes because it is primarily designed to assist administrators to populate the attributes that are needed to build the NIS maps - NFS components look up just the uidNumber and gidNumber attributes for a user and the gidNumber attribute in case of a group. None of the other attributes are required to have any values.

If we leave the UNIX Attributes tab, we have two options to populate these attributes - programmatically or using ADSIEdit MMC snap-in.

 Using ADSIEdit snap-in can be feasible when you don't have a lot of objects to work with and it's not repeatative. Follow the steps below to populate these attributes using ADSIEdit -

  • In the Run... dialog box, type ADSIEdit.msc and press Enter
  • Right click on the ADSI Edit item in the snap-in and select Connect to...
  • Under the Connection Point section, check the Select a well known Naming Context radio button and from the drop down box, select Default naming context and click on OK
  • Expand Default naming context and then your domain container
  • Locate the user or group object that you want to work with
  • Right click on the object and select Properties
  • Now, in the Attribute Editor tab, locate the uidNumber (not in case of a group) and gidNumber attributes and populate them with the desired values. Now click on OK on save the values.

You're done.

There are several programmatical methods available to do this. Following is a vbs script that I use for my tests -

On Error Resume Next

'Seting base DN here
Set objRootDSE = GetObject ("LDAP://rootDSE")
strBase = "<LDAP://" & objRootDSE.Get ("defaultNamingContext")&">;"

'Getting parameters and setting variables for later use
If WScript.Arguments.Count = 2 then
objType = "group"
samID = WScript.Arguments(0)
gidNumber = WScript.Arguments(1)
ElseIf WScript.Arguments.Count = 3 Then
objType = "user"
samID = WScript.Arguments(0)
uidNumber = WScript.Arguments(1)
gidNumber = WScript.Arguments(2)
Else
Wscript.Echo "Error: Insufficient Parameters"
Wscript.Quit
End If

'Wscript.Echo objType & " " & samID & " " & uidNumber & " " & gidNumber

'Searching for the user in AD
Wscript.Echo "Searching for the object..."
strFilter="(&(objectClass=" & objType & ")(SamAccountName=" & samID & "));"
strAttrs="distinguishedname;"
strScope="SubTree"
Set objCon = CreateObject("ADODB.Connection")
objCon.Provider = "ADSDSOOBJECT"
objCon.Open "Active Directory Provider"
Set objRes = objCon.Execute(strBase & strFilter & strAttrs & strScope)

strDN = objRes.Fields("distinguishedname").Value
If Err.Number Then
WScript.Echo "Error: No " & objType & " with name " & samID & " found."
WScript.Quit
End If

set objDN = GetObject("LDAP://" & strDN)

'Writing information to the object
Wscript.Echo "Writing new values to AD..."
If objType = "user" Then
objDN.Put "uidNumber", uidNumber
objDN.Put "gidNumber", gidNumber
objDN.SetInfo
ElseIf objType = "group" Then
objDN.Put "gidNumber", gidNumber
objDN.SetInfo
End If

'Fetch and display the newly updated UNIX values from AD
Wscript.Echo "Fetching new values from AD..."
Wscript.Echo " samAccountName : " & objDN.Get("cn")
If objType = "user" Then Wscript.Echo " uidNumber : " & objDN.Get("uidNumber")
Wscript.Echo " gidNumber : " & objDN.Get("gidNumber")

'Clean up
Set objRes = nothing

Disclaimer: This sample is provided as is and is not meant for use on a production environment. It is provided only for illustrative purposes. The end user must test and modify the sample to suit their target environment. This code is provided here only as a convenience to you. No representations can be regarding the quality, safety, or suitability of any code or information found here.

Copy the code and save it in a file with .vbs extension. Following is the sytax that you can use to start using it -

To modify user objects - 

C:\>cscript <scriptname.vbs> samAccountName uidNumber gidNumber

To modify group objects -

C:\>cscript <scriptname.vbs> samAccountName gidNumber

It takes a call to modify a user or a group object based on the number of parameters that you pass. Once, it has written the values to uidNumber/gidNumber attributes, it reads the values again and prints them to the console. It does NOT provide an option to selectively modify uidNumber or gidNumber attribute of a user object - you need to still supply both the parameters to this script.

Comments

  • Anonymous
    June 23, 2010
    The comment has been removed
  • Anonymous
    June 24, 2010
    @Iain - It should just work when uidNumber and gidNumber attributes are populated with the user's UNIX uid and gid numbers. Drop me an email with more details.
  • Ashish
  • Anonymous
    July 15, 2012
    Please can you add this useful information to the step by step NFS for Windows Server 2008 R2 Documentation - its the most crucial part to get everything working!    thanks

  • Anonymous
    August 15, 2012
    A previous sys admin setup our Linux boxes so that users can log into them via AD.  And within Linux, these users all have proper ID numbers.  However, the uidNumber is not set for any of the users in AD. Where does Linux get the ID numers from if AD doesn't have them? At this point it looks like I'll have to look up every user's ID number in Linux, and then add it to the "uidNumber" field on the AD server.  Is there a way to do this automatically, or at least get a full listing?? Thank you! -joe

  • Anonymous
    August 16, 2012
    The comment has been removed