[Samba] Samba4: error in schema?

steve steve at steve-ss.com
Wed Mar 21 08:22:39 MDT 2012


Hi everyone

Struggling to find a workaround for this. Sorry to bump but could 
someone give me a quick yes or no or it's-you-that's-at-fault on this one?

Thanks,
Steve

El 18/03/12 08:19, steve escribió:
> Hi
> There seems to be a discrepancy in the s4 schema concerning security 
> groups.
> Domain Users comes with gidNumber: 100. This is however contrary to 
> what the schema allows. You can show this as follows:
>
> Create a new group. samba-tool group add mygroup.
> Use phpldapadmin to add the gidNumber attribute.
>
> There is an error because gidNumber is provided by the posixGroup 
> class and that objectclass is not present by default.
>
> No problem. We add objectClass: posixGroup and then we can add 
> gidNumber: xxx just fine.
>
> This however throws up another error in that mygroup is now not a 
> security group but a posix group and the ability to view and 
> manipulate group members is not available in Active Directory 
> Computers and Users (ADCU). We made the folllowing observations:
>
> 1. The members tabs are missing from mygroup properties in ADCU
> 2. you can still use samba-tool group addmembers to manipulate the groups
> 3. you can still select and change primary group for a user in ADCU
> 4. you can add users to the group under phpldapadmin but the users who 
> are already members are not displayed. An error is however correctly 
> displayed if you try to add a user who is already a member.
> 5. You can still manipulate the posixGroup as if it were a security 
> group, set acl's and permissions etc from the security tab of a file 
> or folder.
> 6. You can use a big hammer to add attributes that you should not be 
> able to add. e.g. you can add gidNumber without the objectClass (which 
> supplies gidNumber) being present using ldapmodify or ldbmodify.
> 7. posixAccount and its associated attributes work exactly as 
> advertised in the schema.
>
> Conclusion:
> This is simply an inconvenience. Everything works as expected except 
> being able to view the members that are in a group either in ADCU or 
> phpldapadmin _after_ you have added objectClass: posixGroup to it.
>
> Why does adding the posixGroup Class knock out the ability to be able 
> to view group membership? Is this an error in the posixGroup schema?  
> Is it an aim that s4 be an _exact_ replacement for m$ AD?
> Is this the schema that is used?
>
> from: MS-AD_Schema_2K8_R2_Classes, under 
> /usr/local/samba/share/setup/ad-schema
> cn: PosixAccount
> ldapDisplayName: posixAccount
> governsId: 1.3.6.1.1.1.2.0
> objectClassCategory: 3
> rdnAttId: uid
> subClassOf: top
> mayContain: uid, cn, uidNumber, gidNumber, 
> unixHomeDirectory,homeDirectory, userPassword, unixUserPassword, 
> loginShell, gecos,description
> schemaIdGuid:ad44bb41-67d5-4d88-b575-7b20674e76d8
> defaultSecurityDescriptor: 
> D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)
> defaultHidingValue: TRUE
> systemOnly: FALSE
> defaultObjectCategory: 
> CN=PosixAccount,CN=Schema,CN=Configuration,<RootDomainDN>
>
> cn: PosixGroup
> ldapDisplayName: posixGroup
> governsId: 1.3.6.1.1.1.2.2
> objectClassCategory: 3
> rdnAttId: cn
> subClassOf: top
> mayContain: cn, userPassword, unixUserPassword, description,gidNumber, 
> memberUid
> schemaIdGuid:2a9350b8-062c-4ed0-9903-dde10d06deba
> defaultSecurityDescriptor: 
> D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)
> defaultHidingValue: TRUE
> systemOnly: FALSE
> defaultObjectCategory: 
> CN=PosixGroup,CN=Schema,CN=Configuration,<RootDomainDN>
>
> There are full details of what we have tried with screenshots in the 
> latter part of this bugzilla:
>
> https://bugzilla.samba.org/show_bug.cgi?id=8635
>
> Please let us know if there is anything we can test.
>
> Cheers,
> Steve
> (Could someone fwd to samba-tecnical?)



More information about the samba mailing list