RFC2307 on a Samba DC - HowTo
Rowland Penny
repenny241155 at gmail.com
Mon May 19 03:00:08 MDT 2014
On 19/05/14 00:23, Marc Muehlfeld wrote:
> Am 19.05.2014 00:40, schrieb steve:
>> The implication is that the ypserv NIS schema _has_ to be installed and
>> that windows is the only way to work with rfc2307. There is no mention
>> of samba-tool to do the same on the DC.
>>
>> how about this as the first paragraph:
>> 'Samba4 comes complete with a complete set of rfc2307 attributes which
>> are available immediately following a default provision. The following
>> howto is only needed should you need to work with rfc2307 from a windows
>> computer.'
> That RFC2307 is already enabled per default, is already mentioned in the
> first section. The rest of the HowTo are general information, byside the
> ADUC stuff at the end and not just Windows related.
>
> And I even use the ypServ30 schema if I'm administrating on Linux,
> because I increment there the next UID/GID, like ADUC does. So it's easy
> to track the last used IDs and I stay ADUC compatible if other
> administrators or I use ADUC.
>
>
>
>
>> Then another howto on manipulation rfc2307 on the DC from the Unix side:
>> 1. samba-tool
>> 2. ldbedit
>> 3. ldbmodify
> Feel free to register an account and add it. As more people contributing
> to the Wiki, as faster we are getting a great documentation ;-)
>
>
>
> Regards,
> Marc
Hi, I can understand Marc' point of view here, but Steve has raised a
valuable point, there are other ways of managing RFC2307 attributes in
Samba4 AD.
You can use ldb-tools, but this really requires a lot of knowledge and
is not for a beginner. The other method is to use samba-tool, now whilst
this will allow you to create a new user, it also has its problems.
If you want to create a new user with samba-tool it is fairly simple:
samba-tool user add username userpassword
Unfortunately, this is not how windows does it! If you create a user
through ADUC, you must also supply the users first & last names.
If you want your user to be a Unix user as well you can add:
'--uid-number=UID_NUMBER --gid-number=GID_NUMBER'
You must supply the two numbers and keep track of them yourself, there
is nowhere in samba4 AD (as standard) to store these numbers.
The last big problem is, if you carry out a classicupgrade, you get the
posix objectClasses in AD, NO windows tools will add these objectClasses
and if you then start to add users (either by ADUC or samba-tool), then
these new users will not get the posix objectClasses. This could then
lead to incorrect results being returned by searches of AD by external
tools, if these tools rely on the posix objectClasses.
IMHO, parts of samba-tool need to be re-written to make it work in the
same way as ADUC, I would do this if I could but, I do not have any
coding ability with python, bash scripts yes, python a big no.
Rowland
More information about the samba-technical
mailing list