Categories
SysOps

How to manage UNIX groups and users in Samba Active Directory

Manage UNIX groups and users in Samba Active Directory.

Create groups.

$ sudo samba-tool group add cats --gid-number 8000 --nis-domain OCTOCAT --description "Cats group"
Added group cats
$ sudo samba-tool group add vampires --gid-number 8001 --nis-domain OCTOCAT --description "Vampires group"
Added group dogs
$ sudo samba-tool group add octocat --gid-number=10000 --nis-domain=OCTOCAT --description "Octocat group"
Added group octocat

Edit group.

$ sudo samba-tool group edit octocat
dn: CN=octocat,CN=Users,DC=octocat,DC=lab
objectClass: top
objectClass: group
cn: octocat
description: Octocat group
instanceType: 4
whenCreated: 20210930172216.0Z
whenChanged: 20210930172216.0Z
uSNCreated: 4080
uSNChanged: 4080
name: octocat
objectGUID: 76e7e98d-2867-4062-9cb7-21a9345135b3
objectSid: S-1-5-21-3581266272-3984212215-1130392956-1106
sAMAccountName: octocat
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=octocat,DC=lab
msSFU30Name: octocat
msSFU30NisDomain: OCTOCAT
gidNumber: 10000
distinguishedName: CN=octocat,CN=Users,DC=octocat,DC=lab
Modified group 'octocat' successfully

Create users.

$ sudo samba-tool user create \
                octo 0ctOpass \
                  --given-name Octo --surname Cat --home-directory /home/octocat \
                  --uid octo --uid-number 10000 --gid-number 10000 \
                  --unix-home /home/octocat  \
                  --gecos 'Octo Cat' \
                  --nis-domain OCTOCAT \
                  --login-shell=/bin/bash 
User 'octo' created successfully
$ sudo samba-tool user create vampire v4mP4ss
User 'vampire' created successfully

Add UNIX attributes to specific user.

$ sudo samba-tool user addunixattrs vampire 10001 --gid-number 100 --unix-home /home/vampire --login-shell /bin/bash
Modified User 'vampire' successfully

Display user information.

$ sudo samba-tool user show vampire
dn: CN=vampire,CN=Users,DC=octocat,DC=lab
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: vampire
instanceType: 4
whenCreated: 20210930172540.0Z
uSNCreated: 4085
name: vampire
objectGUID: e64f4bd0-5b79-48ea-8ed6-91843f1ed14e
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid: S-1-5-21-3581266272-3984212215-1130392956-1108
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: vampire
sAMAccountType: 805306368
userPrincipalName: vampire@octocat.lab
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=octocat,DC=lab
pwdLastSet: 132774963400609290
userAccountControl: 512
uidNumber: 10001
gidNumber: 100
gecos: vampire
uid: vampire
loginShell: /bin/bash
unixHomeDirectory: /home/vampire
whenChanged: 20210930172831.0Z
uSNChanged: 4088
distinguishedName: CN=vampire,CN=Users,DC=octocat,DC=lab

Get user groups.

$ sudo samba-tool user getgroups octo
Domain Users
cats

List users.

$ sudo samba-tool user list
octo
Guest
vampire
dns-ad
Administrator
krbtgt

Define password expiration.

$ sudo samba-tool user setexpiry --days 120 octo
Expiry for user 'octo' set to 120 days.
$ sudo samba-tool user setexpiry --noexpiry vampire
Expiry for user 'vampire' disabled.

Add user to group.

$ sudo samba-tool group addmembers cats octo,vampire
Added members to group cats
$ sudo samba-tool group addmembers vampires vampire
Added members to group vampires

List groups.

$ sudo samba-tool group list
Event Log Readers
Certificate Service DCOM Access
Print Operators
Incoming Forest Trust Builders
Remote Desktop Users
Enterprise Read-only Domain Controllers
RAS and IAS Servers
Domain Users
Windows Authorization Access Group
Domain Admins
Denied RODC Password Replication Group
vampires
Performance Log Users
Pre-Windows 2000 Compatible Access
Backup Operators
Domain Computers
Cert Publishers
Users
Account Operators
DnsUpdateProxy
octocat
Read-only Domain Controllers
Group Policy Creator Owners
Enterprise Admins
cats
Schema Admins
Domain Controllers
Distributed COM Users
Cryptographic Operators
Allowed RODC Password Replication Group
IIS_IUSRS
Terminal Server License Servers
Domain Guests
Guests
Replicator
Performance Monitor Users
DnsAdmins
Server Operators
Administrators
Network Configuration Operators

List group members.

$ sudo samba-tool group listmembers cats
vampire
octo

Remove user from a group.

$ sudo samba-tool group removemembers cats vampire
Removed members from group cats

Delete group.

$ sudo samba-tool group delete vampires
Deleted group vampires

Delete user.

$ sudo samba-tool user delete  vampire 
Deleted user vampire

Change user password.

$ sudo samba-tool user password -U octo
Password for [OCTOCAT\octo]: ************
New Password:    ************
Retype Password: ************
Changed password OK

Additional information

An Approach for Using LDAP as a Network Information Service