The first step to acheive this is to update the Samba configuration (/etc/samba/smb.conf) on your DiskStation. Adding the configuration below will get Samba to use the Active Directory attributes. I use 100000-199999 for my user and group IDs. If you use different values you may need to adjust it a bit. If you don't yet have Unix attributes assigned to your Active Directory users, check out Assigning Unix Attributes to Active Directory Objects for how I've gone about that.

[global]
    idmap config * : backend=tdb
    idmap config * : range=3000-7999
    idmap config DIGITALLOTUS : backend=ad
    idmap config DIGITALLOTUS : range=100000-199999
    idmap config DIGITALLOTUS : schema_mode=rfc2307
    idmap config DIGITALLOTUS : unix_nss_info=yes
    idmap config DIGITALLOTUS : unix_primary_group=yes

Once that is in place, restart your DiskStation. After it's up, you can check the user ID by running id user@corp.example.com and see that... it's still showing the automatically generated ID? That's actually expected at this point because of some of the DiskStation internals. If you run wbinfo -i "user@corp.example.com", which will query Samba directly, you should see the right information.

So, how do we now get the DiskStation to recognize the updated values? We have to clear its cached mappings. You can do that by running the command below.

find /volume1/@accountdb \( -type f -o -type l \) -delete

After running that command, you should be able to rerun id user@corp.example.com and see the right attributes. I did all this prior to setting up my shares and permissions. If you already have shares and permissions setup, you'll likely need to reapply your permissions to get them working with the new ID values.

#activedirectory #diskstation

$objectBase = "ou=Digital Lotus,dc=corp,dc=digitallotus,dc=com"
$idRangeBase = 100000
$primaryGid = 101110
$loginShell = "/bin/bash"
$homeDirectoryBase = "/users"

Get-ADObject `
        -LDAPFilter "(&(|(objectClass=user)(objectClass=group))(!objectClass=computer))" `
        -SearchBase "$objectBase" `
        -Properties objectClass,objectSid,uidNumber,gidNumber,sAMAccountName,loginShell,unixHomeDirectory,primaryGroupID | ForEach {
        
    $sAMAccountName = $_.sAMAccountName
    $objectRid = ($_.objectSid -split "-")[-1]
    $idNumber = $idRangeBase + $objectRid

    if ( $_.objectClass -eq "user" ) {
        if ( -not $_.uidNumber ) {
            Write-Host "Adding uidNumber $idNumber to $sAMAccountName"
            $_ | Set-ADObject -Add @{uidNumber=$idNumber}
        }
        if ( -not $_.gidNumber ) {
            Write-Host "Adding gidNumber $gidNumber to $sAMAccountName"
            $_ | Set-ADObject -Add @{gidNumber=$primaryGid }
        }
        if ( -not $_.loginShell ) {
            Write-Host "Adding loginShell $loginShell to $sAMAccountName"
            $_ | Set-ADObject -Add @{loginShell=$loginShell}
        }
        if ( -not $_.unixHomeDirectory ) {
            $homeDirectory = "$homeDirectoryBase/$sAMAccountName"
            Write-Host "Adding unixHomeDirectory $homeDirectory to $sAMAccountName"
            $_ | Set-ADObject -Add @{unixHomeDirectory=$homeDirectory}
        }
    }

    if ( $_.objectClass -eq "group" -and -not $_.gidNumber ) {
        Write-Host "Adding gidNumber $idNumber to $sAMAccountName"
        $_ | Set-ADObject -Add @{gidNumber=$idNumber}
    }

}

The objectBase variable is the base of the search for users and groups, and idRangeBase is the starting value for the IDs. The Active Directory object's relative ID is added to idRangeBase to create the actual UID or GID number.

#activedirectory #powershell