IPAv3_User_Attribute_Mapping ============================ Overview ======== This document describes the user attribute mapping from IPA to Samba and vice versa in various scenarios. Mapping IPA User to Samba User ============================== IPA User Doesn't Exist in Samba ------------------------------- A new user should be generated from IPA attributes and added to Samba: ================== ============================================= Samba IPA ================== ============================================= dn CN=,CN=Users,DC=domain1,DC=com objectClass user, person, organizationalPerson cn cn sn sn sAMAccountName uid homeDirectory homeDirectory accountExpires convert krbPasswordExpiration to AD timestamp pwdLastSet convert krbLastPwdChange to AD timestamp userAccountControl 512 ================== ============================================= The IPA user should be updated with Samba attributes: ================== ================ IPA Samba ================== ================ objectClass extensibleObject objectGUID objectGUID objectSid objectSid lastLogon lastLogon scriptPath scriptPath profilePath profilePath logonCount logonCount badPwdCount badPwdCount primaryGroupID primaryGroupID userAccountControl 512 ================== ================ IPA User Exists in Samba but Not Linked --------------------------------------- The Samba user should be updated with IPA attributes: ============== ============================================= Samba IPA ============== ============================================= sn sn homeDirectory homeDirectory accountExpires convert krbPasswordExpiration to AD timestamp pwdLastSet convert krbLastPwdChange to AD timestamp ============== ============================================= The IPA user should be updated with Samba attributes: ================== ================== IPA Samba ================== ================== objectClass extensibleObject objectGUID objectGUID objectSid objectSid lastLogon lastLogon scriptPath scriptPath profilePath profilePath logonCount logonCount badPwdCount badPwdCount primaryGroupID primaryGroupID userAccountControl userAccountControl ================== ================== IPA User Exists in Samba and Linked ----------------------------------- The Samba user should be updated with IPA attributes: ================== ============================================= Samba IPA ================== ============================================= sn sn homeDirectory homeDirectory accountExpires convert krbPasswordExpiration to AD timestamp pwdLastSet convert krbLastPwdChange to AD timestamp lastLogon lastLogon scriptPath scriptPath profilePath profilePath logonCount logonCount badPwdCount badPwdCount primaryGroupID primaryGroupID userAccountControl userAccountControl ================== ============================================= Mapping Samba User to IPA User ============================== Samba User Doesn't Exist in IPA ------------------------------- A new user is generated from Samba attributes and added to IPA: +-----------------------+---------------------------------------------+ | IPA | Samba | +=======================+=============================================+ | dn | uid=,cn=users,cn=accounts,dc=domain1,dc=com | +-----------------------+---------------------------------------------+ | objectClass | inetOrgPerson, inetUser, krbPrincipalAux, | | | organizationalPerson, person, posixAccount, | | | radiusProfile, extensibleObject | +-----------------------+---------------------------------------------+ | cn | cn | +-----------------------+---------------------------------------------+ | sn | sn or last word of cn | +-----------------------+---------------------------------------------+ | uid | sAMAccountName | +-----------------------+---------------------------------------------+ | homeDirectory | homeDirectory or /tmp | +-----------------------+---------------------------------------------+ | gidNumber | 0 | +-----------------------+---------------------------------------------+ | krbPrincipalName | @domain1.com | +-----------------------+---------------------------------------------+ | krbPasswordExpiration | convert accountExpires to IPA timestamp | +-----------------------+---------------------------------------------+ | krbLastPwdChange | convert pwdLastSet to IPA timestamp | +-----------------------+---------------------------------------------+ | objectGUID | objectGUID | +-----------------------+---------------------------------------------+ | objectSid | objectSid | +-----------------------+---------------------------------------------+ | lastLogon | lastLogon | +-----------------------+---------------------------------------------+ | scriptPath | scriptPath | +-----------------------+---------------------------------------------+ | profilePath | profilePath | +-----------------------+---------------------------------------------+ | logonCount | logonCount | +-----------------------+---------------------------------------------+ | badPwdCount | badPwdCount | +-----------------------+---------------------------------------------+ | primaryGroupID | primaryGroupID | +-----------------------+---------------------------------------------+ | userAccountControl | userAccountControl | +-----------------------+---------------------------------------------+ Samba User Exists in IPA but Not Linked --------------------------------------- A new user is generated from Samba attributes and added to IPA: ===================== ======================================= IPA Samba ===================== ======================================= objectClass extensibleObject krbPasswordExpiration convert accountExpires to IPA timestamp krbLastPwdChange convert pwdLastSet to IPA timestamp objectGUID objectGUID objectSid objectSid lastLogon lastLogon scriptPath scriptPath profilePath profilePath logonCount logonCount badPwdCount badPwdCount primaryGroupID primaryGroupID userAccountControl userAccountControl ===================== ======================================= The Samba user will be updated with IPA attributes: ============= ============= Samba IPA ============= ============= cn cn sn sn homeDirectory homeDirectory ============= ============= Samba User Exists in IPA and Linked ----------------------------------- A new user is generated from Samba attributes and added to IPA: ===================== ======================================= IPA Samba ===================== ======================================= cn cn sn sn or last word of cn homeDirectory homeDirectory or /tmp krbPasswordExpiration convert accountExpires to IPA timestamp krbLastPwdChange convert pwdLastSet to IPA timestamp lastLogon lastLogon scriptPath scriptPath profilePath profilePath logonCount logonCount badPwdCount badPwdCount primaryGroupID primaryGroupID userAccountControl userAccountControl ===================== ======================================= `Category:Obsolete `__