I just though I’d share

Edit: I’m not sure if this actually works. All else fails fall back to Ansible

  • cheet@infosec.pub
    link
    fedilink
    arrow-up
    7
    arrow-down
    1
    ·
    7 months ago

    Microsoft pulled those from the UI, but if you’re adventurous you can just shove those attributes in to user with power shell and it works the same.

    Then just use sssd instead of NIS, surprised me at work when this worked.

    • Luci
      link
      fedilink
      English
      arrow-up
      2
      ·
      7 months ago

      Do you have any documentation on this by any chance? I don’t really like messing with ad schemas

      • cheet@infosec.pub
        link
        fedilink
        arrow-up
        1
        ·
        7 months ago

        sorry I don’t have any real documentation but I have a snippet of powershell that explains it pretty well here this comes from a user creation script I wrote back when they removed the unix UI.

        I was using Get-AdUser and discovered that the properties still existed but you have to manually shove those in, when an sssd “domain bound” linux machine has a user with these props login, they get the defined UID and GID and homefolder etc.

        $otherAttributes = @{}
        Write-Host -ForegroundColor Yellow "Adding Linux Attributes"
        
        # get the next numeric uid number from AD
        $uidNumber=((get-aduser -Filter * -Properties * | where-object {$_.uidNumber} | select uidNumber | sort uidNumber | select -Last 1).uidNumber)+1
        
        $otherAttributes.Add("unixHomeDirectory","/homefolder/path/$($samAccountName)")
        $otherAttributes.Add("uid","$($samAccountName)")
        $otherAttributes.Add("gidNumber","$($gidNumber)")
        $otherAttributes.Add("uidNumber","$($uidNumber)")
        $otherAttributes.Add("loginShell","$($loginShell)")
        
        $UserArgs = @{
            Credential = $creds
            Enabled = $true
            ChangePasswordAtLogon = $true
            Path = $usersOU
            HomeDirectory = "$homeDirPath\$samAccountName"
            HomeDrive = $homeDriveLetter
            GivenName = $firstName
            Surname = $lastName
            DisplayName = $displayName
            SamAccountName = $samAccountName
            Name = $displayName
            AccountPassword = $securePW
            UserPrincipalName = "$($aliasName)@DOMAIN.COM"
            OtherAttributes = $otherAttributes
        }
        
        $newUser = New-ADUser @UserArgs
        

        basically the “OtherAttributes” on the ADUser object is a hashtable that holds all the special additional LDAP attributes, so in this example we use $otherAttributes to add all the fields we need, you can do the same with “Set-Aduser” if you just wanna edit an existing user and add these props

        the @thing on New-ADuser is called a splat, very useful if you’re not familiar, it turns a hashtable into arguments

        lemme know if you have any questions

        • cheet@infosec.pub
          link
          fedilink
          arrow-up
          1
          ·
          edit-2
          7 months ago

          I think you could boil it down to something like Set-ADUser bob -otherattributes {uidNumber=1005, gidNumber=1005}