Whoa …… thanks for this. Now I think I am on the right path now. 

Thanks for the help.


On 12 Sep 2018, at 13:44, Alexander Bokovoy via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:

On ke, 12 syys 2018, Ryan via FreeIPA-users wrote:

On 12 Sep 2018, at 13:07, Alexander Bokovoy via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:

On ke, 12 syys 2018, Ryan via FreeIPA-users wrote:
Hi, All

Off the bat I would like to say being new to freeIPA and rolling out
successful deployment to manage our servers has been amazing, very few

Which brings me to my next question, I have been asked if FreeIPA can
be uses with Samba4 as a Domain Controller in our environment. After
much reading its not as simple as it might sound.

In saying that, my question is simple.

How or what would be the best way to keep the AD users and FreeIPA
users in sync. All I am really looking for is to Auth Users on the new
Samba4 AD server. Can this be done or not.
It currently cannot be done. Requires functionality not available in

Yeah thats what I thought, just need to confirm.

What would you suggest the best way to dump users from ldap and the
populate samba with users and random passwords? I understand this is
out of scope of freeIPA.
You can use Python bindings to IPA to generate list of user entries in python and
then feed some properties of that to samba-tool.

Something like this, using ipa console to simplify use of the API:

# ipa console
(Custom IPA interactive Python console)
  api: IPA API object
  pp: pretty printer
result = api.Command.user_find(all=True, raw=True)['result']
({'cn': ('Alexander Bokovoy',),
'displayName': ('Alexander Bokovoy',),
'dn': 'uid=ab,cn=users,cn=accounts,dc=example,dc=com',
'gecos': ('Alexander Bokovoy',),
'gidnumber': ('1536000001',),
'givenname': ('Alexander',),
'homedirectory': ('/home/ab',),
'initials': ('AB',),
'ipaNTHash': (b'some-value',),
'ipaNTSecurityIdentifier': ('<DOMAIN-SID>-1001',),
'ipaUniqueID': ('<UNIQUE-ID>',),
'ipaUserAuthType': ('otp',),
'krbLastPwdChange': ('20180531111544Z',),
'krbPasswordExpiration': ('20180829111544Z',),
'krbcanonicalname': ('ab@EXAMPLE.COM',),
'krbprincipalname': ('ab@EXAMPLE.COM',),
'loginshell': ('/bin/sh',),
'mail': ('ab@example.com',),
'memberOf': (<list of DNs>),
'nsaccountlock': ('FALSE',),
'objectClass': ('ipaobject',
'sn': ('Bokovoy',),
'uid': ('ab',),
'uidnumber': ('1536000001',)
<more data>
<more entries>

for x in filter(lambda x: 'givenname' in x, result):
...     print("samba-tool user create {uid[0]} t4mp-P-A-S-S-W-O-R-D --given-name={givenname[0]} --surname={sn[0]} --must-change-at-next-login".format(**x))
... samba-tool user create ab t4mp-P-A-S-S-W-O-R-D --given-name=Alexander --surname=Bokovoy --must-change-at-next-login
samba-tool user create mbar t4mp-P-A-S-S-W-O-R-D --given-name=M --surname=Bar --must-change-at-next-login
samba-tool user create new-user t4mp-P-A-S-S-W-O-R-D --given-name=New --surname=User --must-change-at-next-login
samba-tool user create a-user t4mp-P-A-S-S-W-O-R-D --given-name=A --surname=User --must-change-at-next-login
samba-tool user create some-user t4mp-P-A-S-S-W-O-R-D --given-name=Some --surname=User --must-change-at-next-login
samba-tool user create user-mode t4mp-P-A-S-S-W-O-R-D --given-name=User --surname=Mode --must-change-at-next-login

/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org