Enabling idmap_ldb:use rfc2307 = yes on 2 DCs

Mon Sep 24 09:00:56 MDT 2012

Hi steve and samba list,
I'm re-provisioning the domain and I will use the "rfc2307" option.

I provisioned with
samba-tool domain provision --realm=saitel.loc --domain=SAITEL
--adminpass=xxxxxx --server-role=dc --use-xattrs=yes --use-rfc2307

Now I created a new user and tryied to see if (as steve pointed) the
objectClass: posixAccount statement is present for that user.

To get this I used
ldbsearch -H sam.ldb -b "DC=saitel,DC=loc" "(sAMAccountName=theuser)"
but I can see only the following objectClass statements:

objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user

Is it correct or am I missing something?

If I join another DC to the domain and in it's smb.conf I add the
idmap_ldb:use rfc2307 = Yes statement would it pull the UID from the AD?
Would the UIDs be the same on both DCs?

Thanks,
Daniele.

On Mon, 2012-09-24 at 14:43 +0200, steve wrote:
> On 24/09/12 12:28, Daniele Dario wrote:
> > Hi steve,
> >
> > On Fri, 2012-09-21 at 17:10 +0200, steve wrote:
> >> On 21/09/12 10:10, Daniele Dario wrote:
> 
> >>
> >>
> >>
> >
> > thanks for sharing this. Can you please clarify what you mean with "we
> > added: objectClass: posixAccount ...".
> 
> Hi Daniele
> idmap_ldb:use rfc2307 = yes
> implies that you wish to obtain uidNumber and gidNumber from the 
> directory rather than the external idmap.ldb database.
> 
> The schema dictates that to have uidNumber and gidNumber attributes then 
> we must also have an objectClass which supply those attributes.
> 
> Here is a user called steve2 who meets these conditions (for our base DN 
> where: DC=hh3,DC=site):
> 
> dn: CN=steve2,CN=Users,DC=hh3,DC=site
> cn: steve2
> instanceType: 4
> whenCreated: 20120828151721.0Z
> uSNCreated: 3733
> name: steve2
> objectGUID: 93cdeea8-f899-448e-9b09-7b67023aadd9
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> primaryGroupID: 513
> objectSid: S-1-5-21-699126639-3096025544-1681200688-1108
> logonCount: 0
> sAMAccountName: steve2
> sAMAccountType: 805306368
> userPrincipalName: steve2 at hh3.site
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=hh3,DC=site
> pwdLastSet: 129906406410000000
> gidNumber: 20513
> homeDirectory: \\hh1\home\steve2
> homeDrive: Z:
> loginShell: /bin/bash
> profilePath: \\hh1\profiles\steve2
> uidNumber: 3000007
> unixHomeDirectory: /home2/home/steve2
> objectClass: top
> objectClass: posixAccount
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> userAccountControl: 66048
> accountExpires: 0
> whenChanged: 20120829085046.0Z
> uSNChanged: 3769
> distinguishedName: CN=steve2,CN=Users,DC=hh3,DC=site
> 
> Here is the group Domain Users which meets the same condition:
> 
> dn: CN=Domain Users,CN=Users,DC=hh3,DC=site
> cn: Domain Users
> description: All domain users
> instanceType: 4
> whenCreated: 20120828143745.0Z
> uSNCreated: 3540
> name: Domain Users
> objectGUID: 87da3fa5-f07c-4a4c-b501-154a53110a1b
> objectSid: S-1-5-21-699126639-3096025544-1681200688-513
> sAMAccountName: Domain Users
> sAMAccountType: 268435456
> groupType: -2147483646
> objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=hh3,DC=site
> isCriticalSystemObject: TRUE
> memberOf: CN=Users,CN=Builtin,DC=hh3,DC=site
> gidNumber: 20513
> whenChanged: 20120828152046.0Z
> objectClass: top
> objectClass: posixGroup
> objectClass: group
> uSNChanged: 3739
> distinguishedName: CN=Domain Users,CN=Users,DC=hh3,DC=site
> 
> I do not think that your existing users and groups will have these 
> entries and unless you add them when you create a new user or group, 
> these will lack the LDAP entries too.
> 
> The method to add the classes you are missing is documented here:
> http://linuxcostablanca.blogspot.com.es/p/s4bind.html
> 
> HTH
> Cheers,
> Steve
> 