[Samba] Samba 4 Consistent uid gid mapping across servers.
Gints Neimanis
gintsn at gmail.com
Tue Oct 22 00:04:23 MDT 2013
On 10/22/2013 02:02 AM, steve wrote:
> On Mon, 2013-10-21 at 20:05 +0100, Rowland Penny wrote:
>> hi, just a thought, did you join the initial Samba 4 server as a second DC
>> to the windows 2003 server? and if so was it a 2003 or a 2003R2 server?
>> If it was just a 2003 server and did not have SFU added to it, then you
>> probably do not have the required ObjectClasses & Attributes in your schema.
>>
>> Rowland
>>
> Hi
> That could be it. The OP's ldif for adding the uidNumber is fine, but
> the schema wants none of it. The schema that ships with Samba4 works
> fine _if that is the first DC in the domain_. As Rowland says, this is
> likely caused by the Samba4 DC being joined to an existing domain based
> on 2003 or before. The only difference between our (working) ldif is
> that we are adding to CN=Users, not an OU.
Yes. Samba4 was second DC on Win2003 AD, then I transferred all roles to
Samba4 and removed Win2003 DC's. Windows DC was without SFU.
Is there any directions, how to add necessary schemas to Samba4?
Gints
>
>> On 21 October 2013 13:57, Gints Neimanis <gintsn at gmail.com> wrote:
>>
>>> On 10/19/2013 10:58 AM, steve wrote:
>>>
>>>> On Fri, 2013-10-18 at 18:09 -0600, Wayne L. Andersen wrote:
>>>>
>>>>> ...
>>>>>
>>>>> My question is, that since I did not specify rfc2307 when I originally
>>>>> provisioned the domain what is going to be the effect if I try to use it
>>>>> after the fact.
>>>>>
>>>> No problem. You can use the full set of rfc2307 attributes perfectly
>>>> well without it.
>>>>
>>>>> ...
>>>>>
>>>> Not a big deal. You can use wbinfo -i to pull the info fr uidNumber and
>>>> gidNumber and ldbmodify. But be warned: do this on a _single_ DC and
>>>> add:
>>>> idmap_ldb use:rfc2307 = Yes
>>>> to smb.conf to all your DC's afterwards.
>>>>
>>> Can you please from this point give some more detailed steps?
>>>
>>> I have already migrated W2K3 AD -> Samba 4.0.7 -> Samba 4.1.0
>>>
>>> Now I wish to add uidNumber attribute to user object:
>>>
>>> 1) I have added idmap_ldb use:rfc2307 = Yes to smb.conf and restarted samba
>>>
>>> 2) prepared file ldbm.ldif with content:
>>> ==
>>> dn: CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv
>>> changetype: modify
>>> add: uidNumber
>>> uidNumber: 300999
>>> ==
>>>
>>> 3) ldbmodify -H /usr/local/samba/private/sam.**ldb ldbm.ldif
>>> .. and got:
>>>
>>> ERR: (No such attribute) "objectclass_attrs: attribute 'uidNumber' on
>>> entry 'CN=janis.ozols,OU=2009,DC=**xyz,DC=abc,DC=lv' was not found in the
>>> schema!" on DN CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv at block
>>> before line 5
>>> Modify failed after processing 0 records
>>>
>>> .. tried to add uidNumber with ldbedit -H /usr/local/samba/private/sam.**ldb
>>> sAMAccountName=janis.ozols
>>>
>>> ... and got:
>>>
>>> failed to modify CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv -
>>> objectclass_attrs: attribute 'uidNumber' on entry
>>> 'CN=janis.ozols,OU=2009,DC=**xyz,DC=abc,DC=lv' was not found in the
>>> schema!
>>>
>>> Then I tried to add posixAccount class bit without success:
>>>
>>> # cat ldbm.ldif
>>> dn: CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv
>>> changetype: modify
>>> add: objectClass
>>> objectClass: posixAccount
>>>
>>> ldbmodify -H /usr/local/samba/private/sam.**ldb ldbm.ldif
>>>
>>> ../source4/dsdb/common/util.c:**3130: WARNING: forestFunctionality not
>>> setup
>>> ERR: (Unwilling to perform) "objectclass: object class changes on objects
>>> under the standard name contexts not allowed!" on DN
>>> CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv at block before line 8
>>> Modify failed after processing 0 records
>>>
>>> (don't know if it is related but:
>>> # samba-tool domain level raise --domain-level=2003
>>> ERROR: Could not retrieve the actual domain, forest level and/or lowest DC
>>> function level! )
>>>
>>>
>>> current entries for this user are:
>>>
>>> ====
>>> dn: CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv
>>> objectClass: top
>>> objectClass: person
>>> objectClass: organizationalPerson
>>> objectClass: user
>>> cn: janis.ozols
>>> sn: Janis
>>> description: tst
>>> givenName: ozols
>>> instanceType: 4
>>> whenCreated: 20130809130646.0Z
>>> whenChanged: 20130809130646.0Z
>>> displayName: ozols Janis
>>> uSNCreated: 7575
>>> name: janis.ozols
>>> objectGUID: 05af67f7-c5e0-439c-9cae-**cfe667cf19ea
>>> badPwdCount: 0
>>> codePage: 0
>>> countryCode: 0
>>> homeDirectory: \\server\janis.ozols
>>> homeDrive: G:
>>> badPasswordTime: 0
>>> lastLogoff: 0
>>> lastLogon: 0
>>> scriptPath: all.bat
>>> primaryGroupID: 513
>>> profilePath: \\server\PROFILE\janis.ozols
>>> objectSid: S-1-5-21-2016371725-**1493893514-1541874228-20143
>>> accountExpires: 9223372036854775807
>>> logonCount: 0
>>> sAMAccountName: janis.ozols
>>> sAMAccountType: 805306368
>>> userPrincipalName: janis.ozols at xyz.abc.lv
>>> objectCategory: CN=Person,CN=Schema,CN=**Configuration,DC=xyz,DC=abc,**
>>> DC=lv
>>> pwdLastSet: 130205272060000000
>>> userAccountControl: 512
>>> uSNChanged: 7577
>>> distinguishedName: CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv
>>> ====
>>>
>>> Gints.
>>>
>>>
>>>
>>>
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>>>
>
More information about the samba
mailing list