Extending Samba 4 schema for OSX GPO support

Aubrey Ekstrom aekstrom at proclivitysystems.com
Tue Nov 23 16:00:35 MST 2010 

Hi Andrew,

I tried with ldbadd and it says it added all 10 classes (records) with no errors, but both ldbadd and ldbmodify report "Added (or Modified) 0 records with 0 failures" for the 3 modifies at the end:


# Add the new class to the user object
dn: CN=User,CN=Schema,CN=Configuration,DC=corp,DC=core
changetype: modify
add: auxiliaryClass
auxiliaryClass: apple-user
-

# Add the new class to the computer object
dn: CN=Computer,CN=Schema,CN=Configuration,DC=corp,DC=core
changetype: modify
add: auxiliaryClass
auxiliaryClass: apple-computer
-

# Add the new class to the group object
dn: CN=Group,CN=Schema,CN=Configuration,DC=corp,DC=core
changetype: modify
add: auxiliaryClass
auxiliaryClass: apple-group
-

Also, I can not find the 10 added classes in phpLDAPamin (even after loging out and logging in again). Maybe I used the wrong -H url in ldbadd? But then I should have had errors since I authenticated with the correct admin and password... Don't know. 

I am also attaching a .pdf from Apple with their instructions for this. Hopefully it will be useful for you (it wasn't easy to find). After reading that doc, I realized I did not have everything they said you needed (Like OS X Server), so I found an already formatted LDIF file on the internet and modified that, but the one I use meets all the criteria in Apple's instructions.

I have to go home soon, but I'll be back tomorrow :)

Cheers,

Aubrey Ekstrom | Systems Administrator | Proclivity Systems
22 West 19th St., Ninth Floor, New York, NY 10011 | 646-237-3727
http://www.proclivitysystems.com 


This message is the property of Proclivity Systems, Inc. and is intended
only for the use of the addressee(s), and may contain material that is
confidential and privileged for the sole use of the intended recipient.  If
you are not the intended recipient, reliance or forwarding without express
permission is strictly prohibited; please contact the sender and delete all
copies.

----- Original Message -----
From: "Andrew Bartlett" <abartlet at samba.org>
To: "Aubrey Ekstrom" <aekstrom at proclivitysystems.com>
Cc: "Kamen Mazdrashki" <kamenim at samba.org>, samba-technical at lists.samba.org
Sent: Tuesday, November 23, 2010 4:03:07 PM
Subject: Re: Extending Samba 4 schema for OSX GPO support

On Tue, 2010-11-23 at 15:46 -0500, Aubrey Ekstrom wrote:
> Hi Karmen,
> 
> Thanks! That worked perfectly for all 36 attributes and they were all added and I see them in the schema :)... but it still failed for the 10 classes and 3 modifies for the Apple classes 8(...

> 
> # ==================================================================
> #  Updating present elements
> # ==================================================================
> 
> 
> I get these errors for all 10 classes:
> 
> Adding... CN=apple-computer,CN=Schema,CN=Configuration,DC=corp,DC=core Failed
> Error code: 21
> Description: Invalid syntax
> 
> and when I click for more details:
> 
> Error
> No such entry: CN=apple-computer,CN=Schema,CN=Configuration,DC=corp,DC=core
> 
> And this on the modify entries at the end:
> 
> LDAP said: Invalid syntax
> Error number: 0x15 (LDAP_INVALID_SYNTAX)
> Description: An invalid attribute value was specified.
> 
> But no specific invalid attribute is mentioned... only the generic error. If you or anyone has any thoughts it is greatly appreciated. All these entries are the one that Apple says you need to import into MS A/D for managing Macs via GPO, and formatted exactly as Apple recommends. It would be great to get this working with Samba 4. I know your priority is to make the Microsoft users happy first, but Apple is definitely making in-roads into Windows dominated corporate networks, and all those administrators would be thrilled to be able to manage their Macs with GPO. Extending MS A/D schema is often something Windows admins don't want to do, but having the option to extend a Samba 4 A/D schema that works in their Windows A/D environment would be a big score for everyone :).

Can you add these with ldbadd or ldbmodify and see if we produce a more
useful error that phpLdapAdmin is loosing?

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

---------
This message is the property of Proclivity Systems, Inc. and is intended
only for the use of the addressee(s), and may contain material that is
confidential and privileged for the sole use of the intended recipient.
If you are not the intended recipient, reliance or forwarding without
express permission is strictly prohibited; please contact the sender and
delete all copies.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: Modifying_the_Active_Directory_Schema.pdf
Type: application/pdf
Size: 96447 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101123/6d648bd4/attachment.pdf>

More information about the samba-technical mailing list