I just though I’d share

Edit: I’m not sure if this actually works. All else fails fall back to Ansible

  • Luci
    link
    fedilink
    English
    arrow-up
    2
    ·
    7 months ago

    Do you have any documentation on this by any chance? I don’t really like messing with ad schemas

    • cheet@infosec.pub
      link
      fedilink
      arrow-up
      1
      ·
      7 months ago

      sorry I don’t have any real documentation but I have a snippet of powershell that explains it pretty well here this comes from a user creation script I wrote back when they removed the unix UI.

      I was using Get-AdUser and discovered that the properties still existed but you have to manually shove those in, when an sssd “domain bound” linux machine has a user with these props login, they get the defined UID and GID and homefolder etc.

      $otherAttributes = @{}
      Write-Host -ForegroundColor Yellow "Adding Linux Attributes"
      
      # get the next numeric uid number from AD
      $uidNumber=((get-aduser -Filter * -Properties * | where-object {$_.uidNumber} | select uidNumber | sort uidNumber | select -Last 1).uidNumber)+1
      
      $otherAttributes.Add("unixHomeDirectory","/homefolder/path/$($samAccountName)")
      $otherAttributes.Add("uid","$($samAccountName)")
      $otherAttributes.Add("gidNumber","$($gidNumber)")
      $otherAttributes.Add("uidNumber","$($uidNumber)")
      $otherAttributes.Add("loginShell","$($loginShell)")
      
      $UserArgs = @{
          Credential = $creds
          Enabled = $true
          ChangePasswordAtLogon = $true
          Path = $usersOU
          HomeDirectory = "$homeDirPath\$samAccountName"
          HomeDrive = $homeDriveLetter
          GivenName = $firstName
          Surname = $lastName
          DisplayName = $displayName
          SamAccountName = $samAccountName
          Name = $displayName
          AccountPassword = $securePW
          UserPrincipalName = "$($aliasName)@DOMAIN.COM"
          OtherAttributes = $otherAttributes
      }
      
      $newUser = New-ADUser @UserArgs
      

      basically the “OtherAttributes” on the ADUser object is a hashtable that holds all the special additional LDAP attributes, so in this example we use $otherAttributes to add all the fields we need, you can do the same with “Set-Aduser” if you just wanna edit an existing user and add these props

      the @thing on New-ADuser is called a splat, very useful if you’re not familiar, it turns a hashtable into arguments

      lemme know if you have any questions

      • cheet@infosec.pub
        link
        fedilink
        arrow-up
        1
        ·
        edit-2
        7 months ago

        I think you could boil it down to something like Set-ADUser bob -otherattributes {uidNumber=1005, gidNumber=1005}