[Samba] Samba4 ldbmodify Unwilling to perform error 53
steve
steve at steve-ss.com
Wed Feb 15 10:11:32 MST 2012
On 15/02/12 14:35, Andrew Bartlett wrote:
> On Tue, 2012-02-14 at 16:56 +0100, steve wrote:
>> Hi everyone
>> samba --version
>> Version 4.0.0alpha18-GIT-bfc7481
>> openSUSE 12.1
>>
>> If I do this:
>>
>> ldbmodify --url=/usr/local/samba/private/sam.ldb -b dc=hh3,dc=site
>> dn: CN=steve6,CN=Users,DC=hh3,DC=site
>> changetype: modify
>> add: objectclass
>> objectclass: posixaccount
>> -
>> replace: primarygroupid
>> primarygroupid: 1134
>>
>> I get an error something like: ERR: (Unwilling to perform) error 53
>>
>> If however I do the ldbmodify in 2 stages:
>>
>> ldbmodify --url=/usr/local/samba/private/sam.ldb -b dc=hh3,dc=site
>> dn: CN=steve6,CN=Users,DC=hh3,DC=site
>> changetype: modify
>> add: objectclass
>> objectclass: posixaccount
>>
>> and then:
>>
>> ldbmodify --url=/usr/local/samba/private/sam.ldb -b dc=hh3,dc=site
>> dn: CN=steve6,CN=Users,DC=hh3,DC=site
>> changetype: modify
>> replace: primarygroupid
>> primarygroupid: 1134
>>
>> It works.
>
> primaryGroupID is special, but you may have found a bug in the handler
> for it. We have to confirm that the value being selected does not
> conflict with the existing group memberships.
>
> Andrew Bartlett
>
Hi Andrew
I chopped the 1134 from the end of the group SID:
samba-tool group add suseusers
wbinfo --group-info=suseusers
suseusers:*:3000028:
wbinfo --gid-to-sid 3000028
S-1-5-21-2395500911-3560017633-4088823418-1134
Previous to this it was 513 (Domain Users I think)
Here is the script we made to POSIX-ify the group:
e.g. ./s4group suseusers
#!/bin/sh
echo "Creating s4 posix group "$1
samba-tool group add $1
strgid=$(wbinfo --group-info=$1)
gid=$(echo $strgid | cut -d ":" -f 3)
echo "dn: cn=$1,cn=Users,dc=hh3,dc=site
changetype: modify
add: objectclass
objectclass: posixaccount
-
add:objectclass
objectclass: posixGroup
-
add: gidnumber
gidnumber: $gid" > /tmp/$1
ldapmodify -h 192.168.1.3 -D cn=Administrator,cn=Users,dc=hh3,dc=site -f
/tmp/$1 -Y GSSAPI
rm /tmp/$1
echo $1 "rfc2307-ified"
and here is the script to POSIX-ify the user and add him to the group:
e.g. ./s4user steve6 suseusers
#!/bin/sh
echo "Creating s4 posix user "$1
echo "Pls enter pwd for "$1
samba-tool user add $1
sleep 2
#get the uid
struid=$(wbinfo -i $1)
uid=$(echo $struid | cut -d ":" -f 3)
#get the gid
strgid=$(wbinfo --group-info=$2)
gid=$(echo $strgid | cut -d ":" -f 3)
#get the group from the sid
strsid=$(wbinfo --gid-to-sid=$gid)
primarygid=$(echo $strsid | cut -d "-" -f 8)
strwg=$(echo $struid | cut -d "\\" -f 1)
#add the posix attributes to the user
echo "dn: CN=$1,CN=Users,DC=hh3,DC=site
changetype: modify
add: objectclass
objectclass: posixaccount
-
add: uidnumber
uidnumber: $uid
-
add: gidnumber
gidnumber: $gid
-
add:unixhomedirectory
unixhomedirectory: /home/CACTUS/$1
-
add: loginshell
loginshell: /bin/bash" > /tmp/$1
ldbmodify --url=/usr/local/samba/private/sam.ldb -b dc=hh3,dc=site /tmp/$1
samba-tool group addmembers $2 $1
#set the user to the posix group
echo "dn: CN=$1,CN=Users,DC=hh3,DC=site
changetype: modify
replace: primarygroupid
primarygroupid: $primarygid" > /tmp/$1
echo "sleeping. . ."
sleep 5
ldbmodify --url=/usr/local/samba/private/sam.ldb -b dc=hh3,dc=site /tmp/$1
mkdir /home/$strwg/$1
chown -R $1:$2 /home/$strwg/$1
rm /tmp/$1
echo "New user: " $1 "POSIX-ified"
It works OK. The users have SSO to Linux (nss-pam-ldapd/kerberized NFS4)
and Windows.
It's difficult to find documentation for ldbmodify. I worked this out
from ldbmodify --help. I just wondered why we had to do the ldbmodify in
2 stages. In particular, why we have to 'sleep 5' before going ahead
with the primaryGroupID. BTW, it doesn't matter which way round you do
it. You can do the primaryGroupID first if you like, but you still then
have to wait to add the POSIX stuff.
If the scripts may be in anyway useful, I could try to idiot proof them
up a bit.
Cheers,
Steve
More information about the samba
mailing list