Extending Samba 4 schema for OSX GPO support

Aubrey Ekstrom aekstrom at proclivitysystems.com
Wed Nov 24 13:50:47 MST 2010 

Hi Karmen,

I get the same errors as below from the command line ldbmodify entering the items line by kine in interactive mode. It also throws a similar error from phpLDAPadmin if I try to add the auxiliaryClass manually there. I get the feeling that for some reason the ldb schema doesn't recognize the Apple auxiliaryClass types... except you said you got it to work: "It worked like charm :)" So I don't know what I'm doing wrong. 

Heading out for the long weekend. I'll revisit this on Monday. Happy Thanksgiving to everyone!

Aubrey Ekstrom | Systems Administrator | Proclivity Systems
22 West 19th St., Ninth Floor, New York, NY 10011 | 646-237-3727
http://www.proclivitysystems.com 


This message is the property of Proclivity Systems, Inc. and is intended
only for the use of the addressee(s), and may contain material that is
confidential and privileged for the sole use of the intended recipient.  If
you are not the intended recipient, reliance or forwarding without express
permission is strictly prohibited; please contact the sender and delete all
copies.

----- Original Message -----
From: "Aubrey Ekstrom" <aekstrom at proclivitysystems.com>
To: "Kamen Mazdrashki" <kamenim at samba.org>
Cc: "Andrew Bartlett" <abartlet at samba.org>, samba-technical at lists.samba.org
Sent: Wednesday, November 24, 2010 11:30:46 AM
Subject: Re: Extending Samba 4 schema for OSX GPO support

Hi Karmen,

Thanks again for all your help with this!

Using TextWrangler on a Mac when I look at save options it says it is Unicode (UTF 8 NO BOM) with Unix line breaks. When I change it to Unicode (UTF 8) ldbmodify reads the file, but does nothing with it (0 records modified with 0 failures). When I put it back to it's original format it works (sort of). Anyways, I made the other changes you recommended and it still does not like the last 4 modify changes at the end. I get these errors from ldbmodify:

ERR: (No such object) "No such object (32)" on DN 
ERR: (No such object) "No such object (32)" on DN CN=User,CN=Schema,CN=Configuration,DC=corp,DC=core
ERR: (No such object) "No such object (32)" on DN CN=Computer,CN=Schema,CN=Configuration,DC=corp,DC=core
ERR: (No such object) "No such object (32)" on DN CN=Group,CN=Schema,CN=Configuration,DC=corp,DC=core
Modified 10 records with 4 failures

This for these items at the end of ldif file:

dn: 
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

# Add the new class to the user object
dn: CN=User,CN=Schema,CN=Configuration,DC=corp,DC=core
changetype: modify
add: auxiliaryClass
auxiliaryClass: apple-user
-

# Add the new class to the computer object
dn: CN=Computer,CN=Schema,CN=Configuration,DC=corp,DC=core
changetype: modify
add: auxiliaryClass
auxiliaryClass: apple-computer
-

# Add the new class to the group object
dn: CN=Group,CN=Schema,CN=Configuration,DC=corp,DC=core
changetype: modify
add: auxiliaryClass
auxiliaryClass: apple-group
-

Plus, even though it says adds the 10 classes, I still don't see them in phpLDAPadmin (even searching all base DNs). If I try to add them again, it complains that they already exist though, so it puts them somewhere. What am I missing here? Any thoughts? Thanks!

To remind on the environment (just in case):

Debian 5.0.6
Samba 4 (git version 4.0.0alpha14-GIT-0e95fca)
phpLDAPadmin 1.1.0.5

I will keep poking around too and let you all know if I figure it out on my own.

Cheers,

Aubrey Ekstrom | Systems Administrator | Proclivity Systems
22 West 19th St., Ninth Floor, New York, NY 10011 | 646-237-3727
http://www.proclivitysystems.com 


This message is the property of Proclivity Systems, Inc. and is intended
only for the use of the addressee(s), and may contain material that is
confidential and privileged for the sole use of the intended recipient.  If
you are not the intended recipient, reliance or forwarding without express
permission is strictly prohibited; please contact the sender and delete all
copies.

----- Original Message -----
From: "Kamen Mazdrashki" <kamenim at samba.org>
To: "Aubrey Ekstrom" <aekstrom at proclivitysystems.com>
Cc: "Andrew Bartlett" <abartlet at samba.org>, samba-technical at lists.samba.org
Sent: Tuesday, November 23, 2010 6:28:30 PM
Subject: Re: Extending Samba 4 schema for OSX GPO support

Hi Aubrey,

I have tested with the ldif you've attached in your first mail (I think)
and here is what I did to make it work (yes, it works)
1. the ldif is in Unicode - I've converted it in utf-8
2. in all classes, rdnAttId, subClassOf etc are denoted by OIDs
  so I just commented the line with the numeric OID and uncommented
  the line after it (the one with the ldapDisplayName)
  (it seems this is a problem only for rdnAttId, but I did for all of
them anyway)
3. replace "changetype: ntdsschemaadd" with "changetype: add"
4. use ldbmodify utility

It worked like charm :)
Good luck!

-- 
CU,
Kamen Mazdrashki
Samba Team                                            http://samba.org
http://gitweb.samba.org/?p=kamenim/samba.git;a=summary


On Wed, Nov 24, 2010 at 01:00, Aubrey Ekstrom
<aekstrom at proclivitysystems.com> wrote:
> Hi Andrew,
>
> I tried with ldbadd and it says it added all 10 classes (records) with no errors, but both ldbadd and ldbmodify report "Added (or Modified) 0 records with 0 failures" for the 3 modifies at the end:
>
>
> # Add the new class to the user object
> dn: CN=User,CN=Schema,CN=Configuration,DC=corp,DC=core
> changetype: modify
> add: auxiliaryClass
> auxiliaryClass: apple-user
> -
>
> # Add the new class to the computer object
> dn: CN=Computer,CN=Schema,CN=Configuration,DC=corp,DC=core
> changetype: modify
> add: auxiliaryClass
> auxiliaryClass: apple-computer
> -
>
> # Add the new class to the group object
> dn: CN=Group,CN=Schema,CN=Configuration,DC=corp,DC=core
> changetype: modify
> add: auxiliaryClass
> auxiliaryClass: apple-group
> -
>
> Also, I can not find the 10 added classes in phpLDAPamin (even after loging out and logging in again). Maybe I used the wrong -H url in ldbadd? But then I should have had errors since I authenticated with the correct admin and password... Don't know.
>
> I am also attaching a .pdf from Apple with their instructions for this. Hopefully it will be useful for you (it wasn't easy to find). After reading that doc, I realized I did not have everything they said you needed (Like OS X Server), so I found an already formatted LDIF file on the internet and modified that, but the one I use meets all the criteria in Apple's instructions.
>
> I have to go home soon, but I'll be back tomorrow :)
>
> Cheers,
---------
This message is the property of Proclivity Systems, Inc. and is intended
only for the use of the addressee(s), and may contain material that is
confidential and privileged for the sole use of the intended recipient.
If you are not the intended recipient, reliance or forwarding without
express permission is strictly prohibited; please contact the sender and
delete all copies.

More information about the samba-technical mailing list