Whoa …… thanks for this. Now I think I am on the right path now. Thanks for the help.
R > On 12 Sep 2018, at 13:44, Alexander Bokovoy via FreeIPA-users > <[email protected]> wrote: > > On ke, 12 syys 2018, Ryan via FreeIPA-users wrote: >> >> >>> On 12 Sep 2018, at 13:07, Alexander Bokovoy via FreeIPA-users >>> <[email protected]> wrote: >>> >>> On ke, 12 syys 2018, Ryan via FreeIPA-users wrote: >>>> Hi, All >>>> >>>> Off the bat I would like to say being new to freeIPA and rolling out >>>> successful deployment to manage our servers has been amazing, very few >>>> hiccups. >>>> >>>> Which brings me to my next question, I have been asked if FreeIPA can >>>> be uses with Samba4 as a Domain Controller in our environment. After >>>> much reading its not as simple as it might sound. >>>> >>>> In saying that, my question is simple. >>>> >>>> How or what would be the best way to keep the AD users and FreeIPA >>>> users in sync. All I am really looking for is to Auth Users on the new >>>> Samba4 AD server. Can this be done or not. >>> It currently cannot be done. Requires functionality not available in >>> FreeIPA. >>> >> >> Yeah thats what I thought, just need to confirm. >> >> What would you suggest the best way to dump users from ldap and the >> populate samba with users and random passwords? I understand this is >> out of scope of freeIPA. > You can use Python bindings to IPA to generate list of user entries in python > and > then feed some properties of that to samba-tool. > > Something like this, using ipa console to simplify use of the API: > > # ipa console > (Custom IPA interactive Python console) > api: IPA API object > pp: pretty printer >>>> result = api.Command.user_find(all=True, raw=True)['result'] >>>> len(result) > 7 >>>> pp(result) > ({'cn': ('Alexander Bokovoy',), > 'displayName': ('Alexander Bokovoy',), > 'dn': 'uid=ab,cn=users,cn=accounts,dc=example,dc=com', > 'gecos': ('Alexander Bokovoy',), > 'gidnumber': ('1536000001',), > 'givenname': ('Alexander',), > 'homedirectory': ('/home/ab',), > 'initials': ('AB',), > 'ipaNTHash': (b'some-value',), > 'ipaNTSecurityIdentifier': ('<DOMAIN-SID>-1001',), > 'ipaUniqueID': ('<UNIQUE-ID>',), > 'ipaUserAuthType': ('otp',), > 'krbLastPwdChange': ('20180531111544Z',), > 'krbPasswordExpiration': ('20180829111544Z',), > 'krbcanonicalname': ('[email protected] <mailto:[email protected]>',), > 'krbprincipalname': ('[email protected] <mailto:[email protected]>',), > 'loginshell': ('/bin/sh',), > 'mail': ('[email protected] <mailto:[email protected]>',), > 'memberOf': (<list of DNs>), > 'nsaccountlock': ('FALSE',), > 'objectClass': ('ipaobject', > 'person', > 'top', > 'ipasshuser', > 'inetorgperson', > 'organizationalperson', > 'krbticketpolicyaux', > 'krbprincipalaux', > 'inetuser', > 'posixaccount', > 'ipaSshGroupOfPubKeys', > 'mepOriginEntry', > 'ipantuserattrs', > 'ipauserauthtypeclass'), > 'sn': ('Bokovoy',), > 'uid': ('ab',), > 'uidnumber': ('1536000001',) > <more data> > }, > <more entries> > ) > >>>> for x in filter(lambda x: 'givenname' in x, result): > ... print("samba-tool user create {uid[0]} t4mp-P-A-S-S-W-O-R-D > --given-name={givenname[0]} --surname={sn[0]} > --must-change-at-next-login".format(**x)) > ... samba-tool user create ab t4mp-P-A-S-S-W-O-R-D --given-name=Alexander > --surname=Bokovoy --must-change-at-next-login > samba-tool user create mbar t4mp-P-A-S-S-W-O-R-D --given-name=M --surname=Bar > --must-change-at-next-login > samba-tool user create new-user t4mp-P-A-S-S-W-O-R-D --given-name=New > --surname=User --must-change-at-next-login > samba-tool user create a-user t4mp-P-A-S-S-W-O-R-D --given-name=A > --surname=User --must-change-at-next-login > samba-tool user create some-user t4mp-P-A-S-S-W-O-R-D --given-name=Some > --surname=User --must-change-at-next-login > samba-tool user create user-mode t4mp-P-A-S-S-W-O-R-D --given-name=User > --surname=Mode --must-change-at-next-login > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
