Samba4 – How to Rename a User in Domain

samba4

How can I change a login of a user in samba4 based domain?

I've tried reading the samba-tool man page, but it does not seem to show anything that i could use.

Best Answer

Assuming we use Ubuntu and Samba 4 is configured as a DC (Active Directory Domain Controller) and we want to change the user with name Old User and login olduser. To just rename a users login name, we can use samba-tool:

test-smb:~# samba-tool user edit olduser

This will open an editor showing the content of the LDAP entry. Change the attributes sAMAccountName and userPrincipalName, save and exit. You may also want to rename any existing home directory of the user.

We can also edit the LDAP entry directly without using the samba-tool but with the ldb-tools.

Install ldb-tools:

apt install ldb-tools

Now we can use the ldb-tools (ldbadd, ldbdel, ldbedit, ldbmodify, ldbrename, ldbsearch) to search or modify the LDAP database directly.

Locate the Samba LDAP database:

If you installed an Ubuntu packaged version of samba, this file should be found at /var/lib/samba/private/sam.ldb.

Let's first have a look at that user in the LDAP database:

Search the database:

We use ldbsearch for that with the following syntax:

ldbsearch -H <database-file> <ldap-filter>

With the <ldap-filter> we can specify an expression to filter the entries returned by the search. We can for example use sAMAccountName=olduser to filter based on the login name attribute or CN=Old User to filter based on the CN (Common Name) attribute:

test-smb:~# ldbsearch -H /var/lib/samba/private/sam.ldb 'CN=Old User'
# record 1
dn: CN=Old User,CN=Users,DC=test-smb,DC=example,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Old User
sn: User
givenName: Old
instanceType: 4
whenCreated: 20180904091809.0Z
whenChanged: 20180904091809.0Z
displayName: Old User
uSNCreated: 3841
name: Old User
objectGUID: 038979ea-107d-4c97-85bf-76d1f2326608
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid: S-1-5-21-3075026989-1808589244-366107480-1105
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: olduser
sAMAccountType: 805306368
userPrincipalName: olduser@test-smb.example.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=test-smb,DC=phys,DC=et
 hz,DC=ch
mail: olduser@test-smb.example.com
loginShell: /bin/bash
pwdLastSet: 131805262894707270
userAccountControl: 512
uSNChanged: 3844
distinguishedName: CN=Old User,CN=Users,DC=test-smb,DC=example,DC=com

...

Change the login name attributes

Create a text file (rename-login.ldif) with the following contents:

dn: CN=Old User,CN=Users,DC=test-smb,DC=phys,DC=ethz,DC=ch
changetype: modify
replace: sAMAccountName
sAMAccountName: newuser
-
replace: userPrincipalName
userPrincipalName: newuser@test-smb.phys.ethz.ch

This will modify the attributes sAMAccountName and userPrincipalName:

test-smb:~# ldbmodify -H /var/lib/samba/private/sam.ldb rename-login.ldif
Modified 1 records successfully

Rename the LDAP entry by renaming the RDN (Relative Distinguished Name)

It looks like renaming an LDAP entry is not possible using the samba-tool and we have to use ldb-tools:

test-smb:~# ldbrename -H /var/lib/samba/private/sam.ldb 'CN=Old User,CN=Users,DC=test-smb,DC=example,DC=com' 'CN=New User,CN=Users,DC=test-smb,DC=example,DC=com'
Renamed 1 record

This will also change the attributes cn and name, but not some other attributes, still containing the old user name as shown by the next search:

test-smb:~# ldbsearch -H /var/lib/samba/private/sam.ldb 'CN=New User'
# record 1
dn: CN=New User,CN=Users,DC=test-smb,DC=example,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
sn: User
givenName: Old
instanceType: 4
whenCreated: 20180904091809.0Z
displayName: Old User
uSNCreated: 3841
objectGUID: 038979ea-107d-4c97-85bf-76d1f2326608
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
primaryGroupID: 513
objectSid: S-1-5-21-3075026989-1808589244-366107480-1105
accountExpires: 9223372036854775807
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=test-smb,DC=phys,DC=et
 hz,DC=ch
mail: olduser@test-smb.example.com
loginShell: /bin/bash
pwdLastSet: 131805262894707270
userAccountControl: 512
lastLogonTimestamp: 131805264616461980
sAMAccountName: newuser
userPrincipalName: newuser@test-smb.example.com
lastLogon: 131805271152497360
logonCount: 12
cn: New User
name: New User
whenChanged: 20180904100228.0Z
uSNChanged: 3847
distinguishedName: CN=New User,CN=Users,DC=test-smb,DC=example,DC=com

Modify the remaining attributes

To also change some other attributes, like for example givenName, displayName or mail, we can use:

samba-tool user edit newuser

and edit the user interactively or use another ldbmodify as follows:

Create a text file (rename-other-attrs.ldif) with the following contents:

dn: CN=New User,CN=Users,DC=test-smb,DC=phys,DC=ethz,DC=ch
changetype: modify
replace: givenName
givenName: New
-
replace: displayName
displayName: New User
-
replace: mail
mail: newuser@test-smb.example.com

Modify the LDAP entry::

test-smb:~# ldbmodify -H /var/lib/samba/private/sam.ldb rename-other-attrs.ldif
Modified 1 records successfully
Related Topic