[Samba] core & cosine schema items in Samba AD DC user object?

Franta Hanzlík franta at hanzlici.cz
Tue Mar 26 13:50:41 UTC 2024 

On Tue, 26 Mar 2024 08:01:27 +0000
Rowland Penny via samba <samba at lists.samba.org> wrote:

> On Tue, 26 Mar 2024 02:57:51 +0100
> Franta Hanzlík via samba <samba at lists.samba.org> wrote:
> 
> > Please, it is possible (perhaps with some Samba schema extension?) to 
> > have items as 'c' (countryName), 'l' (localityName), 'l'
> > (localityName), 'co' (friendlyCountryName), 'street' (streetAddress),
> > 'displayName' etc. in the description of the USER object?  
> 
> It is very possible, because they are standard components of the AD
> schema:
> 
> dn: CN=Country-Name,CN=Schema,CN=Configuration,DC=X
> lDAPDisplayName: c
> 
> dn: CN=Locality-Name,CN=Schema,CN=Configuration,DC=X
> lDAPDisplayName: l
> 
> dn: CN=Text-Country,CN=Schema,CN=Configuration,DC=X
> lDAPDisplayName: co
> 
> dn: CN=Street-Address,CN=Schema,CN=Configuration,DC=X
> lDAPDisplayName: street
> 
> dn: CN=Display-Name,CN=Schema,CN=Configuration,DC=X
> lDAPDisplayName: displayName

Yeah, it is super!
My mistake was - before I was only looking in the 
/etc/openldap/schema/samba.schema file, where these attributes are not 
there. But now I can see them in the 
/usr/share/samba/setup/ad-schema/AD_DS_Attributes__Windows_Server_2016.ldf 
file (which is perhaps what the Samba uses as its schema).

> > 
> > And then how to manage them? The "samba-tool user add" doesn't seem
> > to have a corresponding switch...  
> 
> That would be up to you writing your own script to add them, unless you
> would care to update samba-tool to do this ;-)

Maybe these attributes can be supplemented with some Windows tool (RSAT/ 
ADUC), I haven't tried it yet.

What I just tried - add these attributes to AD with ldbmodify and a pre-
prepared LDIF file (as:

dn: CN=Pepík,OU=dobří,OU=kamarádi,DC=ad,DC=hanzlici,DC=cz
changetype: modify
add: l
l: Plzeň

) - and it works well, thus problem is solved.

And another finding - adding a non-existent attribute such as Locality-Name (

dn: CN=Pepík,OU=dobří,OU=kamarádi,DC=ad,DC=hanzlici,DC=cz
changetype: modify
add: Locality-Name
Locality-Name: Plzeň

to the schema (I mistakenly thought that e.g. the 'l' attribute is an 
external/LDAP alias for the internal "Locality-Name" attribute used 
by Samba) will not fail, and the USER object will have both "l" and 
"Locality-Name" attributes. Is it ok that I can add any nonsense 
(attribute not in schema) to the object?

> 
> Rowland
> 
> -- 

Rowland, thank you so much!
-- 
Franta Hanzlik

More information about the samba mailing list