[Samba] Samba 4 Consistent uid gid mapping across servers.

Taylor, Jonn jonnt at taylortelephone.com
Tue Oct 22 10:03:53 MDT 2013 

On 10/22/2013 08:56 AM, Rowland Penny wrote:
> On 22/10/13 14:43, Gints Neimanis wrote:
>> On 10/22/2013 04:20 PM, Rowland Penny wrote:
>>> On 22/10/13 13:55, Gints Neimanis wrote:
>>>> On 10/22/2013 11:51 AM, Rowland Penny wrote:
>>>>> On 22/10/13 07:04, Gints Neimanis wrote:
>>>>>> On 10/22/2013 02:02 AM, steve wrote:
>>>>>>> On Mon, 2013-10-21 at 20:05 +0100, Rowland Penny wrote:
>>>>>>>> hi, just a thought, did you join the initial Samba 4 server as 
>>>>>>>> a second DC
>>>>>>>> to the windows 2003 server? and if so was it a 2003 or a 2003R2 
>>>>>>>> server?
>>>>>>>> If it was just a 2003 server and did not have SFU added to it, 
>>>>>>>> then you
>>>>>>>> probably do not have the required ObjectClasses & Attributes in 
>>>>>>>> your schema.
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>>> Hi
>>>>>>> That could be it. The OP's ldif for adding the uidNumber is 
>>>>>>> fine, but
>>>>>>> the schema wants none of it. The schema that ships with Samba4 
>>>>>>> works
>>>>>>> fine _if that is the first DC in the domain_. As Rowland says, 
>>>>>>> this is
>>>>>>> likely caused by the Samba4 DC being joined to an existing 
>>>>>>> domain based
>>>>>>> on 2003 or before. The only difference between our (working) 
>>>>>>> ldif is
>>>>>>> that we are adding to CN=Users, not an OU.
>>>>>> Yes. Samba4 was second DC on Win2003 AD, then I transferred all 
>>>>>> roles to Samba4 and removed Win2003 DC's. Windows DC was without 
>>>>>> SFU.
>>>>>>
>>>>>> Is there any directions, how to add necessary schemas to Samba4?
>>>>>>
>>>>>> Gints
>>>>>>
>>>>>>>> On 21 October 2013 13:57, Gints Neimanis <gintsn at gmail.com> wrote:
>>>>>>>>
>>>>>>>>> On 10/19/2013 10:58 AM, steve wrote:
>>>>>>>>>
>>>>>>>>>> On Fri, 2013-10-18 at 18:09 -0600, Wayne L. Andersen wrote:
>>>>>>>>>>
>>>>>>>>>>>   ...
>>>>>>>>>>>
>>>>>>>>>>> My question is, that since I did not specify rfc2307 when I 
>>>>>>>>>>> originally
>>>>>>>>>>> provisioned the domain what is going to be the effect if I 
>>>>>>>>>>> try to use it
>>>>>>>>>>> after the fact.
>>>>>>>>>>>
>>>>>>>>>> No problem. You can use the full set of rfc2307 attributes 
>>>>>>>>>> perfectly
>>>>>>>>>> well without it.
>>>>>>>>>>
>>>>>>>>>>> ...
>>>>>>>>>>>
>>>>>>>>>> Not a big deal. You can use wbinfo -i to pull the info fr 
>>>>>>>>>> uidNumber and
>>>>>>>>>> gidNumber and ldbmodify. But be warned: do this on a _single_ 
>>>>>>>>>> DC and
>>>>>>>>>> add:
>>>>>>>>>> idmap_ldb use:rfc2307 = Yes
>>>>>>>>>> to smb.conf to all your DC's afterwards.
>>>>>>>>>>
>>>>>>>>> Can you please from this point give some more detailed steps?
>>>>>>>>>
>>>>>>>>> I have already migrated W2K3 AD -> Samba 4.0.7 -> Samba 4.1.0
>>>>>>>>>
>>>>>>>>> Now I wish to add uidNumber attribute to user object:
>>>>>>>>>
>>>>>>>>> 1) I have added idmap_ldb use:rfc2307 = Yes to smb.conf and 
>>>>>>>>> restarted samba
>>>>>>>>>
>>>>>>>>> 2) prepared file  ldbm.ldif with content:
>>>>>>>>> ==
>>>>>>>>> dn: CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv
>>>>>>>>> changetype: modify
>>>>>>>>> add: uidNumber
>>>>>>>>> uidNumber: 300999
>>>>>>>>> ==
>>>>>>>>>
>>>>>>>>> 3) ldbmodify -H /usr/local/samba/private/sam.**ldb ldbm.ldif
>>>>>>>>> .. and got:
>>>>>>>>>
>>>>>>>>> ERR: (No such attribute) "objectclass_attrs: attribute 
>>>>>>>>> 'uidNumber' on
>>>>>>>>> entry 'CN=janis.ozols,OU=2009,DC=**xyz,DC=abc,DC=lv' was not 
>>>>>>>>> found in the
>>>>>>>>> schema!" on DN CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv at 
>>>>>>>>> block
>>>>>>>>> before line 5
>>>>>>>>> Modify failed after processing 0 records
>>>>>>>>>
>>>>>>>>> .. tried to add uidNumber with ldbedit  -H 
>>>>>>>>> /usr/local/samba/private/sam.**ldb
>>>>>>>>> sAMAccountName=janis.ozols
>>>>>>>>>
>>>>>>>>> ... and got:
>>>>>>>>>
>>>>>>>>> failed to modify CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv -
>>>>>>>>> objectclass_attrs: attribute 'uidNumber' on entry
>>>>>>>>> 'CN=janis.ozols,OU=2009,DC=**xyz,DC=abc,DC=lv' was not found 
>>>>>>>>> in the
>>>>>>>>> schema!
>>>>>>>>>
>>>>>>>>> Then I tried to add posixAccount class bit without success:
>>>>>>>>>
>>>>>>>>> # cat ldbm.ldif
>>>>>>>>> dn: CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv
>>>>>>>>> changetype: modify
>>>>>>>>> add: objectClass
>>>>>>>>> objectClass: posixAccount
>>>>>>>>>
>>>>>>>>> ldbmodify -H /usr/local/samba/private/sam.**ldb ldbm.ldif
>>>>>>>>>
>>>>>>>>> ../source4/dsdb/common/util.c:**3130: WARNING: 
>>>>>>>>> forestFunctionality not
>>>>>>>>> setup
>>>>>>>>> ERR: (Unwilling to perform) "objectclass: object class changes 
>>>>>>>>> on objects
>>>>>>>>> under the standard name contexts not allowed!" on DN
>>>>>>>>> CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv at block before 
>>>>>>>>> line 8
>>>>>>>>> Modify failed after processing 0 records
>>>>>>>>>
>>>>>>>>> (don't know if it is related but:
>>>>>>>>> # samba-tool domain level raise --domain-level=2003
>>>>>>>>> ERROR: Could not retrieve the actual domain, forest level 
>>>>>>>>> and/or lowest DC
>>>>>>>>> function level! )
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> current entries for this user are:
>>>>>>>>>
>>>>>>>>> ====
>>>>>>>>> dn: CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv
>>>>>>>>> objectClass: top
>>>>>>>>> objectClass: person
>>>>>>>>> objectClass: organizationalPerson
>>>>>>>>> objectClass: user
>>>>>>>>> cn: janis.ozols
>>>>>>>>> sn: Janis
>>>>>>>>> description: tst
>>>>>>>>> givenName: ozols
>>>>>>>>> instanceType: 4
>>>>>>>>> whenCreated: 20130809130646.0Z
>>>>>>>>> whenChanged: 20130809130646.0Z
>>>>>>>>> displayName: ozols Janis
>>>>>>>>> uSNCreated: 7575
>>>>>>>>> name: janis.ozols
>>>>>>>>> objectGUID: 05af67f7-c5e0-439c-9cae-**cfe667cf19ea
>>>>>>>>> badPwdCount: 0
>>>>>>>>> codePage: 0
>>>>>>>>> countryCode: 0
>>>>>>>>> homeDirectory: \\server\janis.ozols
>>>>>>>>> homeDrive: G:
>>>>>>>>> badPasswordTime: 0
>>>>>>>>> lastLogoff: 0
>>>>>>>>> lastLogon: 0
>>>>>>>>> scriptPath: all.bat
>>>>>>>>> primaryGroupID: 513
>>>>>>>>> profilePath: \\server\PROFILE\janis.ozols
>>>>>>>>> objectSid: S-1-5-21-2016371725-**1493893514-1541874228-20143
>>>>>>>>> accountExpires: 9223372036854775807
>>>>>>>>> logonCount: 0
>>>>>>>>> sAMAccountName: janis.ozols
>>>>>>>>> sAMAccountType: 805306368
>>>>>>>>> userPrincipalName: janis.ozols at xyz.abc.lv
>>>>>>>>> objectCategory: 
>>>>>>>>> CN=Person,CN=Schema,CN=**Configuration,DC=xyz,DC=abc,**
>>>>>>>>> DC=lv
>>>>>>>>> pwdLastSet: 130205272060000000
>>>>>>>>> userAccountControl: 512
>>>>>>>>> uSNChanged: 7577
>>>>>>>>> distinguishedName: CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv
>>>>>>>>> ====
>>>>>>>>>
>>>>>>>>> Gints.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> -- 
>>>>>>>>> To unsubscribe from this list go to the following URL and read 
>>>>>>>>> the
>>>>>>>>> instructions: 
>>>>>>>>> https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>>>>>>>>>
>>>>>>>
>>>>>>
>>>>> Hi, First we need to make sure that the lack of the required 
>>>>> objectclasses & attributes is the problem, run this on the server:
>>>>>
>>>>> ldbsearch --url=/usr/local/samba/private/sam.ldb -b 
>>>>> "CN=Schema,CN=Configuration,DC=example,DC=com" > /root/schema.ldif
>>>>>
>>>>> Replacing 'DC=example,DC=com' with your variant of it, this also 
>>>>> supposes that sam.ldb is actually in '/usr/local/samba/private'
>>>>>
>>>>> After running the command, open '/root/schema.ldif' in your 
>>>>> favourite editor and search for ' CN=PosixAccount' . If it cannot 
>>>>> be found then this is your problem, as a further check, I got 1550 
>>>>> entries on a newly provisioned ADDC.
>>>>>
>>>>> Rowland
>>>>
>>>> Hi,
>>>>
>>>> Thank for your attention!
>>>>
>>>> I'n dont't have any PosixAccount , only dn: 
>>>> CN=Trust-Posix-Offset,CN=Schema,CN=Configuration,DC=...
>>>>
>>>> I already tried to add PossixAccount to user object, but without 
>>>> success.
>>>>
>>>> # cat ldbm.ldif
>>>> dn: CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv
>>>> changetype: modify
>>>> add: objectClass
>>>> objectClass: posixAccount
>>>>
>>>> ldbmodify -H /usr/local/samba/private/sam.**ldb ldbm.ldif
>>>>
>>>> ../source4/dsdb/common/util.c:**3130: WARNING: forestFunctionality not
>>>> setup
>>>> ERR: (Unwilling to perform) "objectclass: object class changes on 
>>>> objects
>>>> under the standard name contexts not allowed!" on DN
>>>> CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv at block before line 8
>>>> Modify failed after processing 0 records
>>>>
>>>> I will be very pleased, if there are some directions how to extend 
>>>> schema with necessary data.
>>>>
>>>> Gints
>>>>
>>> Hi, did you run the command I posted and do you now have the file 
>>> 'schema.ldif' in /root ?
>>
>> Yes
>>>
>>> If so, can you find 'CN=PosixAccount,CN=Schema,CN=Configuration' in 
>>> the file ?
>>
>> No
>>>
>>> You do not ever need to add the 'PosixAccount' & 'PosixGroup' 
>>> objectclasses to a container, they are auxiliary classes of 'User' 
>>> and windows never adds them.
>>>
>>> If, as it seems, you do not have the required SFU objectClasses & 
>>> Attributes, you now have a bit of work in front of you, unless 
>>> somebody else can help, I can only suggest that you compare my 
>>> schema.ldif with yours, remove what is in yours from mine and then 
>>> add what is left to your AD DC
>>>
>>> You will then need to add /usr/local/samba/share/setup/ypServ30.ldif
>>
>> Thanks for your help. Then I will provision some clean Samba4 domain 
>> in test environment and  will compare schemas between migrated and 
>> clean domains. At least it will be more exciting job than migrate 
>> back to Windows2003(R2) add SFU and then back to samba4.
>
> Windows 2003 didn't come with SFU, it had to be added, but windows 
> 2003R2 did, there is the difference. I personally do not find the very 
> easy job of compiling and provisioning Samba 4.1 exciting ;-)
>
> I think if you start from a new provision of Samba 4.1 ( using 
> --use-rfc2307) then all of your problems will disapear.
>
> Rowland
>
>>
>> Best regards!
>> Gints
>>
>>
>>>
>>> I do not think that anybody has tried this yet, but if this a bad 
>>> idea, then I am sure that somebody will say so.
>>>
>>> Rowland
>>
>
I just went though something like this. Our domain was a 2003 not 
2003R2. The way I did it was to add a 2003 DC back to the domain, 
install SFU and the demote the 2003 DC. I then took this a bit further 
and upgraded the domain to 2008R2 by running the MS utility to upgrade 
the domain. I then joined a 2008R2 server to the domain just to make 
sure there were no problem and then took it back out. You may be able to 
use the domain upgrade utility to add what you need without adding a 
2003 server.

Jonn

More information about the samba mailing list