Jump to: navigation, search

IPAv3 User Attribute Mapping

SCOPE: PAGE IS OBSOLETE.

Contents

Overview

This document describes the user attribute mapping from IPA to Samba and vice versa in various scenarios.

Mapping IPA User to Samba User

IPA User Doesn't Exist in Samba

A new user should be generated from IPA attributes and added to Samba:

Samba IPA
dn CN=<cn>,CN=Users,DC=domain1,DC=com
objectClass user, person, organizationalPerson
cn cn
sn sn
sAMAccountName uid
homeDirectory homeDirectory
accountExpires convert krbPasswordExpiration to AD timestamp
pwdLastSet convert krbLastPwdChange to AD timestamp
userAccountControl 512

The IPA user should be updated with Samba attributes:

IPA Samba
objectClass extensibleObject
objectGUID objectGUID
objectSid objectSid
lastLogon lastLogon
scriptPath scriptPath
profilePath profilePath
logonCount logonCount
badPwdCount badPwdCount
primaryGroupID primaryGroupID
userAccountControl 512

IPA User Exists in Samba but Not Linked

The Samba user should be updated with IPA attributes:

Samba IPA
sn sn
homeDirectory homeDirectory
accountExpires convert krbPasswordExpiration to AD timestamp
pwdLastSet convert krbLastPwdChange to AD timestamp

The IPA user should be updated with Samba attributes:

IPA Samba
objectClass extensibleObject
objectGUID objectGUID
objectSid objectSid
lastLogon lastLogon
scriptPath scriptPath
profilePath profilePath
logonCount logonCount
badPwdCount badPwdCount
primaryGroupID primaryGroupID
userAccountControl userAccountControl

IPA User Exists in Samba and Linked

The Samba user should be updated with IPA attributes:

Samba IPA
sn sn
homeDirectory homeDirectory
accountExpires convert krbPasswordExpiration to AD timestamp
pwdLastSet convert krbLastPwdChange to AD timestamp
lastLogon lastLogon
scriptPath scriptPath
profilePath profilePath
logonCount logonCount
badPwdCount badPwdCount
primaryGroupID primaryGroupID
userAccountControl userAccountControl

Mapping Samba User to IPA User

Samba User Doesn't Exist in IPA

A new user is generated from Samba attributes and added to IPA:

IPA Samba
dn uid=<sAMAccountName>,cn=users,cn=accounts,dc=domain1,dc=com
objectClass inetOrgPerson, inetUser, krbPrincipalAux, organizationalPerson, person, posixAccount, radiusProfile, extensibleObject
cn cn
sn sn or last word of cn
uid sAMAccountName
homeDirectory homeDirectory or /tmp
gidNumber 0
krbPrincipalName <sAMAccountName>@domain1.com
krbPasswordExpiration convert accountExpires to IPA timestamp
krbLastPwdChange convert pwdLastSet to IPA timestamp
objectGUID objectGUID
objectSid objectSid
lastLogon lastLogon
scriptPath scriptPath
profilePath profilePath
logonCount logonCount
badPwdCount badPwdCount
primaryGroupID primaryGroupID
userAccountControl userAccountControl

Samba User Exists in IPA but Not Linked

A new user is generated from Samba attributes and added to IPA:

IPA Samba
objectClass extensibleObject
krbPasswordExpiration convert accountExpires to IPA timestamp
krbLastPwdChange convert pwdLastSet to IPA timestamp
objectGUID objectGUID
objectSid objectSid
lastLogon lastLogon
scriptPath scriptPath
profilePath profilePath
logonCount logonCount
badPwdCount badPwdCount
primaryGroupID primaryGroupID
userAccountControl userAccountControl

The Samba user will be updated with IPA attributes:

Samba IPA
cn cn
sn sn
homeDirectory homeDirectory

Samba User Exists in IPA and Linked

A new user is generated from Samba attributes and added to IPA:

IPA Samba
cn cn
sn sn or last word of cn
homeDirectory homeDirectory or /tmp
krbPasswordExpiration convert accountExpires to IPA timestamp
krbLastPwdChange convert pwdLastSet to IPA timestamp
lastLogon lastLogon
scriptPath scriptPath
profilePath profilePath
logonCount logonCount
badPwdCount badPwdCount
primaryGroupID primaryGroupID
userAccountControl userAccountControl
Retrieved from "http://www.freeipa.org/index.php?title=IPAv3_User_Attribute_Mapping&oldid=4688"