Getting AD Lookup to work without UNIX Attributes tab

Getting AD Lookup to work without UNIX Attributes tab

The previous post talks about how to get the UNIX Attributes tab to work without installing IdMU components. In this post, I would like to talk about what attributes the NFS components expect to be populated in AD for user and group object before it can recognize them and use the information.

The UNIX Attributes tab populate a lot of other attributes because it is primarily designed to assist administrators to populate the attributes that are needed to build the NIS maps - NFS components look up just the uidNumber and gidNumber attributes for a user and the gidNumber attribute in case of a group. None of the other attributes are required to have any values.

If we leave the UNIX Attributes tab, we have two options to populate these attributes - programmatically or using ADSIEdit MMC snap-in.

 Using ADSIEdit snap-in can be feasible when you don't have a lot of objects to work with and it's not repeatative. Follow the steps below to populate these attributes using ADSIEdit -

  • In the Run... dialog box, type ADSIEdit.msc and press Enter

  • Right click on the ADSI Edit item in the snap-in and select Connect to...

  • Under the Connection Point section, check the Select a well known Naming Context radio button and from the drop down box, select Default naming context and click on OK

  • Expand Default naming context and then your domain container

  • Locate the user or group object that you want to work with

  • Right click on the object and select Properties

  • Now, in the Attribute Editor tab, locate the uidNumber (not in case of a group) and gidNumber attributes and populate them with the desired values. Now click on OK on save the values.

You're done.

There are several programmatical methods available to do this. Following is a vbs script that I use for my tests -

On Error Resume Next

'Seting base DN here
Set objRootDSE = GetObject ("
strBase = "<LDAP://" & objRootDSE.Get ("defaultNamingContext")&">;"

'Getting parameters and setting variables for later use
If WScript.Arguments.Count = 2 then
 objType = "group"
 samID = WScript.Arguments(0)
 gidNumber = WScript.Arguments(1)
ElseIf WScript.Arguments.Count = 3 Then
 objType = "user"
 samID = WScript.Arguments(0)
 uidNumber = WScript.Arguments(1)
 gidNumber = WScript.Arguments(2)
 Wscript.Echo "Error: Insufficient Parameters"
End If

'Wscript.Echo objType & " " & samID & " " & uidNumber & " " & gidNumber
'Searching for the user in AD
Wscript.Echo "Searching for the object..."
strFilter="(&(objectClass=" & objType & ")(SamAccountName=" & samID & "));"
Set objCon = CreateObject("ADODB.Connection")
objCon.Provider = "ADSDSOOBJECT"
objCon.Open "Active Directory Provider"
Set objRes = objCon.Execute(strBase & strFilter & strAttrs & strScope)

strDN = objRes.Fields("distinguishedname").Value
If Err.Number Then
    WScript.Echo "Error: No " & objType & " with name " & samID & " found."
End If

set objDN = GetObject("LDAP://" & strDN)

'Writing information to the object
Wscript.Echo "Writing new values to AD..."
If objType = "user" Then
 objDN.Put "uidNumber", uidNumber
 objDN.Put "gidNumber", gidNumber
ElseIf objType = "group" Then
 objDN.Put "gidNumber", gidNumber
End If
'Fetch and display the newly updated UNIX values from AD
Wscript.Echo "Fetching new values from AD..."
Wscript.Echo "   samAccountName : " & objDN.Get("cn")
If objType = "user" Then Wscript.Echo "   uidNumber      : " & objDN.Get("uidNumber")
Wscript.Echo "   gidNumber      : " & objDN.Get("gidNumber")

'Clean up
Set objRes = nothing

Disclaimer: This sample is provided as is and is not meant for use on a production environment. It is provided only for illustrative purposes. The end user must test and modify the sample to suit their target environment. This code is provided here only as a convenience to you. No representations can be regarding the quality, safety, or suitability of any code or information found here.

Copy the code and save it in a file with .vbs extension. Following is the sytax that you can use to start using it -

To modify user objects - 

C:\>cscript <scriptname.vbs> samAccountName uidNumber gidNumber

To modify group objects -

C:\>cscript <scriptname.vbs> samAccountName gidNumber

It takes a call to modify a user or a group object based on the number of parameters that you pass. Once, it has written the values to uidNumber/gidNumber attributes, it reads the values again and prints them to the console. It does NOT provide an option to selectively modify uidNumber or gidNumber attribute of a user object - you need to still supply both the parameters to this script.

Comments (5)
  1. Iain says:

    One thing I don't quite get.  SHould AD Lookup "just work" assuming you have 2003 R2 or higher installed?  Or do you need the Server for NIS component installed on all the DCs?  I know I have the R2 schema, as I can see and edit the uidnumber and gid properties in adsiedit orvia other ldap tools.  However, I can't seem to make AD lookup work.  Just curious if I missed a big, obvious step.

  2. ashisa says:

    @Iain – It should just work when uidNumber and gidNumber attributes are populated with the user's UNIX uid and gid numbers. Drop me an email with more details.

    – Ashish

  3. Simon Allison says:

    Please can you add this useful information to the step by step NFS for Windows Server 2008 R2 Documentation – its the most crucial part to get everything working!    thanks

  4. Joe Mac says:

    A previous sys admin setup our Linux boxes so that users can log into them via AD.  And within Linux, these users all have proper ID numbers.  However, the uidNumber is not set for any of the users in AD.

    Where does Linux get the ID numers from if AD doesn't have them?

    At this point it looks like I'll have to look up every user's ID number in Linux, and then add it to the "uidNumber" field on the AD server.  Is there a way to do this automatically, or at least get a full listing??

    Thank you!


  5. ashisa says:

    @Joe – Maybe it's taking it from the local files and still using the passwords in AD for the logon process. To populate the information in AD, you can take the passwd and group files to a Windows box and give the following command a try –

    FOR /F "delims=: eol=; tokens=1,2,3,4,5*" %i IN (passwd.txt) DO @cscript <script-name-from-above> %i %k %l

    For groups, the following should do –

    FOR /F "delims=: eol=; tokens=1,2,3,4*" %i IN (group.txt) DO @echo %i %k

    Hope this helps.

Comments are closed.

Skip to main content