[Samba] Samba4 member of an another « Samba4 » domain

Sat Apr 13 15:32:56 MDT 2013

On 13/04/13 20:22, steve wrote:
> On 13/04/13 20:38, Rowland Penny wrote:
>> On 13/04/13 19:24, steve wrote:
>>> On 13/04/13 18:49, François Lafont wrote:
>>>> Hi,
>>>>
>>>> Le 11/04/2013 22:39, Gémes Géza a écrit :
>>>>
>>>>> The easiest way to test out rfc2307 would be to provision a new 
>>>>> domain
>>>>> with samba-tool domain provision --use-rfc2307
>>>>> --the-other-options-of-your-choice, and test a rfc2307 client against
>>>>> it. The difference is, that in this case the provisioning script 
>>>>> loads a
>>>>> schema file (ypServ30.ldif) which makes it easier to administer the
>>>>> rfc2307 attributes using ADUC. [...]
>>>> Ok. I try this in a wheezy server:
>>>>
>>>> ---------------------------------------------------
>>>> samba-tool domain provision --realm=CHEZMOI.PRIV \
>>>>      --domain=CHEZMOI --server-role=dc --dns-backend=SAMBA_INTERNAL \
>>>>      --adminpass='+toto123' --use-rfc2307
>>>> echo "nameserver 192.168.0.21" > /etc/resolv.conf
>>>> samba
>>>> samba-tool user add test1 "+test123"
>>>> ---------------------------------------------------
>>>>
>>>> Here is my smb.conf file after this commands:
>>>>
>>>> ---------------------------------------------------
>>>> # Global parameters
>>>> [global]
>>>>          workgroup = CHEZMOI
>>>>          realm = CHEZMOI.PRIV
>>>>          netbios name = WHEEZY-1
>>>>          server role = active directory domain controller
>>>>          dns forwarder = 212.27.40.241
>>>>          idmap_ldb:use rfc2307 = yes
>>>>
>>>> [netlogon]
>>>>          path = /usr/local/samba/var/locks/sysvol/chezmoi.priv/scripts
>>>>          read only = No
>>>>
>>>> [sysvol]
>>>>          path = /usr/local/samba/var/locks/sysvol
>>>>          read only = No
>>>> ---------------------------------------------------
>>>>
>>>> But when I run:
>>>> ldbedit --url=/usr/local/samba/private/sam.ldb cn=test1
>>>>
>>>> ---------------------------------------------------
>>>> # editing 1 records
>>>> # record 1
>>>> dn: CN=test1,CN=Users,DC=chezmoi,DC=priv
>>>> objectClass: top
>>>> objectClass: person
>>>> objectClass: organizationalPerson
>>>> objectClass: user
>>>> cn: test1
>>>> instanceType: 4
>>>> whenCreated: 20130413162647.0Z
>>>> whenChanged: 20130413162647.0Z
>>>> uSNCreated: 3769
>>>> name: test1
>>>> objectGUID: 0d95a85f-92d9-425c-8ddf-bcdb401a1c99
>>>> badPwdCount: 0
>>>> codePage: 0
>>>> countryCode: 0
>>>> badPasswordTime: 0
>>>> lastLogoff: 0
>>>> lastLogon: 0
>>>> primaryGroupID: 513
>>>> objectSid: S-1-5-21-3595212667-731548510-1075401445-1103
>>>> accountExpires: 9223372036854775807
>>>> logonCount: 0
>>>> sAMAccountName: test1
>>>> sAMAccountType: 805306368
>>>> userPrincipalName: test1 at chezmoi.priv
>>>> objectCategory: 
>>>> CN=Person,CN=Schema,CN=Configuration,DC=chezmoi,DC=priv
>>>> pwdLastSet: 130103440070000000
>>>> userAccountControl: 512
>>>> uSNChanged: 3771
>>>> distinguishedName: CN=test1,CN=Users,DC=chezmoi,DC=priv
>>>> ---------------------------------------------------
>>>>
>>>> I have no "objectClass: posixAccount" entry and then no 
>>>> "uidNumber", "gidNumber" attribute. Is it normal?
>>>>
>>>> I thought that "use-rfc2307" option allowed to create 
>>>> "posixaccount" users. Isn't It the case?
>>>>
>>>>
>>> Hi
>>> You still have to add the objects. Yourself! I think provsioning 
>>> with the rfc2307 option allows you to use the windows tools instead 
>>> of using ldbedit or ldif's. If you just want uid:gid you can use 
>>> ldbedit like you have above and
>>>
>>> add e.g.
>>> objectClass: posixGroup
>>> gidNumber: 20513
>>>
>>> to Domain Users
>>>
>>> then, e.g.
>>> objectClass posixAccount
>>> uidNumber: 3000100
>>> gidNumber: 20513
>>>
>>> to each of your users. With a different uid for each user of course. 
>>> You then decide how to get the uid:gid out of AD. There's another 
>>> thread here at the moment about how or how not to do that.
>>> hth
>>> Steve
>
>>>
>> Hi, You do not need the posix objectclasses, you can add the 
>> uidNumbers etc without them.
>>
>> Rowland
>>
>>
>>
> Hi
> Yes, but please be careful. The Samba4 LDAP allows you to add 
> uidNumber without the class from the schema which provides it. In this 
> case posixAccount. However, the uidNumber in that case will just be 
> ignored. e.g. it will not show in getent passwd.
>
> I'm not certain but I think in openldap with the rfc2307 schema, it 
> would be an error: you wouldn't be able to do it.
>
> @Rowland. Maybe your method with sssd doesn't need uidNumber to be 
> present in AD?
> Cheers,
> Steve
>
Hi Steve, I thought like you until someone posted either on here or on 
the technical list that windows does not use the posix objectclasses, 
and as Samba 4 AD is supposed to be exactly like windows AD, then 
obviously you do not need them. If they were required, you would not be 
able to add the uidNumbers etc, it would just error out.
If you are having problems pulling the uidNumber with nss-ldapd without 
the posix objectclasses, then this might be because nss-ldapd was 
written for ldap but AD != LDAP. All I can say is sssd works without the 
posix objectclasses.

Rowland

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.