[Samba] Samba 4 "Services for UNIX"? [SOLVED]
Robert Moggach
rob at dashing.tv
Thu Jan 10 00:51:04 MST 2013
OK. So I now no longer 'CORRUPT' my database. Thanks to Andrew for pointing
this out as it didn't seem to have caused problems until I tried to edit
attributes.
The following is my latest attempt. Given the errors I was getting were all
related to an invalid rdn I moved to change to a schema that was a little
more generic and uses OU and CN instead. In hindsight it was the missing
rdnAttId that was probably causing this error so you can probably try
adding that to the previous schema definition instead. Not sure what's
ideal.
The following schema and corresponding data load without issue using the
documented ldbmodify command...
It's now 3 ldif files... one for the attribute, one for the automountMap
class, one for the automount class. It wouldn't do it for me otherwise as
it needed to see the preceding attribute or class before being added.
Split these into three separate files...
01_autofs_attr.ldif
dn: CN=automountInformation,CN=Schema,CN=Configuration,<DOMAIN>
objectClass: top
objectClass: attributeSchema
attributeID: 1.3.6.1.1.1.1.25
cn: automountInformation
name: automountInformation
lDAPDisplayName: automountInformation
description: Information used by the autofs automounter
attributeSyntax: 2.5.5.5
oMSyntax: 22
isSingleValued: TRUE
systemOnly: FALSE
02_autofs_map.ldif
dn: CN=automountMap,CN=Schema,CN=Configuration,<DOMAIN>
objectClass: top
objectClass: classSchema
governsID: 1.3.6.1.4.1.2312.4.2.2
rdnAttId: ou
cn: automountMap
name: automountMap
lDAPDisplayName: automountMap
subClassOf: top
objectClassCategory: 1
mustContain: ou
defaultObjectCategory: CN=automountMap,CN=Schema,CN=Configuration,<DOMAIN>
defaultSecurityDescriptor:O:BAG:SYD:(A;;0xf01ff;;;S-1-5-21-1698313198-1485347608-3860200556-500)(A;;0xf01ff;;;SY)(A;;0x20094;;;AU)
defaultHidingValue: TRUE
systemOnly: FALSE
systemPossSuperiors: organizationalUnit
03_autofs_mount.ldif
dn: CN=automount,CN=Schema,CN=Configuration,<DOMAIN>
objectClass: top
objectClass: classSchema
governsID: 1.3.6.1.1.1.1.13
rdnAttId: cn
cn: automount
name: automount
lDAPDisplayName: automount
subClassOf: top
objectClassCategory: 1
mustContain: cn
mustContain: automountInformation
mayContain: description
defaultObjectCategory: CN=automount,CN=Schema,CN=Configuration,<DOMAIN>
defaultSecurityDescriptor:O:BAG:SYD:(A;;0xf01ff;;;S-1-5-21-1698313198-1485347608-3860200556-500)(A;;0xf01ff;;;SY)(A;;0x20094;;;AU)
defaultHidingValue: TRUE
systemOnly: FALSE
systemPossSuperiors:
automountMap
Add them as documented in the wiki....
ldbmodify -H /usr/local/samba/private/sam.ldb /root/01_autofs_attr.ldif
...etc...etc...etc
Modify the actual data accordingly to remove automountKey and
automountMapName attributes and change as needed.
These work for me and I can edit them without issue.
On Wed, Jan 9, 2013 at 7:50 PM, Robert Moggach <rob at dashing.tv> wrote:
> To get the automount schema to work with the git checkout of samba 4 I
> had to modify the automount schema files and separate the attributes from
> the classes. I also discovered that it's required to have the
> ntSecurityDescriptor , instanceType, and objectCategory attributes. Without
> these it will crash whenever you try to browse... I did alot of stopping
> samba, tarring of /usr/local/samba and untarring to finally get here...
>
> Here's the ldif for the automount attributes I used:
>
> dn: CN=automountMapName,CN=Schema,CN=Configuration,<DOMAIN>
> objectClass: top
> objectClass: attributeSchema
> attributeID: 1.3.6.1.1.1.1.31
> cn: automountMapName
> name: automountMapName
> lDAPDisplayName: automountMapName
> description: automount Map Name
> attributeSyntax: 2.5.5.5
> oMSyntax: 22
> isSingleValued: TRUE
> systemOnly: FALSE
>
> dn: CN=automountKey,CN=Schema,CN=Configuration,<DOMAIN>
> objectClass: top
> objectClass: attributeSchema
> attributeID: 1.3.6.1.1.1.1.32
> cn: automountKey
> name: automountKey
> lDAPDisplayName: automountKey
> description: Automount Key value
> attributeSyntax: 2.5.5.5
> oMSyntax: 22
> isSingleValued: TRUE
> systemOnly: FALSE
>
> dn: CN=automountInformation,CN=Schema,CN=Configuration,<DOMAIN>
> objectClass: top
> objectClass: attributeSchema
> attributeID: 1.3.6.1.1.1.1.33
> cn: automountInformation
> name: automountInformation
> lDAPDisplayName: automountInformation
> description: Automount information
> attributeSyntax: 2.5.5.5
> oMSyntax: 22<DOMAIN>
> isSingleValued: TRUE
> systemOnly: FALSE
>
> Here's the ldif for the automount classes:
>
> dn: CN=automountMap,CN=Schema,CN=Configuration,<DOMAIN>
> objectClass: top
> objectClass: classSchema
> governsID: 1.3.6.1.1.1.2.16
> cn: automountMap
> name: automountMap
> lDAPDisplayName: automountMap
> subClassOf: top
> objectClassCategory: 1
> mustContain: automountMapName
> mayContain: description
> mustContain: instanceType
> mustContain: ntSecurityDescriptor
> mustContain: objectCategory
> defaultObjectCategory: CN=automountMap,CN=Schema,CN=Configuration,<DOMAIN>
> defaultHidingValue: TRUE
> systemOnly: FALSE
>
> dn: CN=automount,CN=Schema,CN=Configuration,<DOMAIN>
> objectClass: top
> objectClass: classSchema
> governsID: 1.3.6.1.1.1.2.17
> cn: automount
> name: automount
> lDAPDisplayName: automount
> subClassOf: top
> objectClassCategory: 1
> description: Automount information
> mustContain: automountKey
> mustContain: automountInformation
> mayContain: description
> mustContain: instanceType
> mustContain: ntSecurityDescriptor
> mustContain: objectCategory
> defaultObjectCategory: CN=automount,CN=Schema,CN=Configuration,<DOMAIN>
> defaultHidingValue: TRUE
> systemOnly: FALSE
>
> These were added to the directory using the following commands:
>
> ldbmodify -H /usr/local/samba/private/sam.ldb /root/SAMBA4/automount/01_attr.ldif --option="dsdb:schema update allowed"=true
> ldbmodify -H /usr/local/samba/private/sam.ldb /root/SAMBA4/automount/02_class.ldif --option="dsdb:schema update allowed"=true
>
> Now here's what I did for the actual records. First I created a new OU
> tree called Automounts and then three OU's beneath that for Mac, Linux,
> Homeless. Mac uses auto_master and linux uses auto.master but I prefer to
> have them in separate branches.
>
> Here's a sample record:
>
> dn: automountMapName=auto_master,OU=Mac,OU=Automounts,<DOMAIN>
> objectClass: automountMap
> objectClass: top
> automountMapName: auto_master
> description: Mac OS X Master Autofs map
> ntSecurityDescriptor:O:BAG:SYD:(A;;0xf01ff;;;S-1-5-21-1698313198-1485347608-3860200556-500)(A;;0xf01ff;;;SY)(A;;0x20094;;;AU)
> ObjectCategory: CN=automountMap,CN=Schema,CN=Configuration,<DOMAIN>
> instanceType: 4
>
>
> These couldn't be added with the above string so instead I used the
> following:
>
> ldbmodify -H /usr/local/samba/private/sam.ldb.d/DC\=<DOMAIN>.ldb -U administrator 03_smb_maps.ldif
>
> To understand the ntSecurityDescriptor attribute I had to learn all about
> SDDL syntax and then by trial and error realize I needed to use hex format.
> The following links were invaluable.
>
> http://www.netid.washington.edu/documentation/domains/sddl.aspxhttp://networkadminkb.com/KB/a152/how-to-read-a-sddl-string.aspxhttp://www.windowsitpro.com/article/security/defining-an-ad-object-s-default-security-descriptor
>
> Further... this little python snippet helped me remember how to add hex
> ....
>
> #!/usr/bin/python
>
> GA=int('0x10000000',0)
> GR=int('0x10000000',0)
> GW=int('0x10000000',0)
> GX=int('0x10000000',0)
> RC=int('0x20000',0)
> SD=int('0x10000',0)
> WD=int('0x40000',0)
> WO=int('0x80000',0)
> RP=int('0x00000010',0)
> WP=int('0x00000020',0)
> CC=int('0x00000001',0)
> DC=int('0x00000002',0)
> LC=int('0x00000004',0)
> SW=int('0x00000008',0)
> LO=int('0x00000080',0)
> DT=int('0x00000040',0)
> CR=int('0x00000100',0)
>
> PERMS = {
> 'All Perms ': RC+SD+WD+WO+RP+WP+CC+DC+LC+SW+LO+DT+CR,
> 'Read Only ': RP+LC+LO+RC
> }
>
> for key,value in PERMS.items():
> print key, value, hex(value)
>
>
> I hope this helps others to avoid frustration.
>
> Rob
>
>
>
>
> On Wed, Jan 9, 2013 at 2:23 PM, Robert Moggach <rob at dashing.tv> wrote:
>
>> I have a little more information about the issues I'm having:
>>
>> When I try to create automountMap or automount objects in the directory
>> using Apache Directory Studio it fails because I need to add the following
>> attributes:
>>
>> instanceType
>> ntSecurityDescriptor
>> objectCategory
>>
>> Can someone enlighten me on the correct value for these attributes?
>>
>> thanks,
>>
>> Rob
>>
>>
>>
>> On Tue, Jan 8, 2013 at 6:43 PM, Robert Moggach <rob at dashing.tv> wrote:
>>
>>> I've solved getting the schema into the directory... and I thought I
>>> populated my automount maps...
>>> but the directory is unbrowseable -
>>>
>>> Getting closer... I keep getting the following error:
>>>
>>> *acl_read: cannot get descriptor of automountMap... etc. etc.*
>>>
>>>
>>> Steps I took...
>>> 1) I had changed the Default-First-Site-Name to something more
>>> appropriate and changing that back seemed like a good place to start even
>>> though fsmo was showing me as the SchemaMaster -
>>>
>>> 2) At this point I was able to get the schema loaded... almost...
>>> ldapadd didn't like attributes and class in the same ldif... and then I had
>>> to restart samba to add the class file... ugh... use ldbmodify! I edited
>>> the automount.ldif schema file to be two files - one for the attributes and
>>> a second for the classes
>>>
>>> I added the schema using the following two commands:
>>>
>>> ldbmodify -H /usr/local/samba/private/sam.ldb
>>> /root/SAMBA4/automount/autofs_attr.ldif --option="dsdb:schema update
>>> allowed"=true
>>>
>>> ldbmodify -H /usr/local/samba/private/sam.ldb
>>> /root/SAMBA4/automount/autofs_class.ldif --option="dsdb:schema update
>>> allowed"=true
>>>
>>> 4) I then tried to add the automount records with ldbmodify with no luck
>>> ...
>>> ldbmodify -H /usr/local/samba/private/sam.ldb
>>> /root/SAMBA4/automount/03_autofs_maps.ldif
>>> ...
>>> Sorting rpmd with attid exception 3 rDN=CN
>>> DN=CN=linux,CN=autofs,CN=Services,DC=MYDOMAIN
>>> ERR: (Naming violation) "objectclass: Invalid RDN 'AUTOMOUNTMAPNAME' for
>>> objectclass 'automountMap'!" on DN
>>> automountMapName=auto_master,CN=mac,CN=autofs,CN=Services,DC=MYDOMAIN at
>>> block before line 41
>>> Modify failed after processing 5 records
>>>
>>> Weird... solved that by doing the following, but now i have all kinds of
>>> acl_read errors
>>>
>>> ldbmodify -H /usr/local/samba/private/sam.ldb.d/DC\=MYDOMAIN.ldb
>>> 03_autofs_maps.ldif
>>>
>>> ldapsearch gives me the following:
>>>
>>> result: 1 Operations errorsearch: 5
>>> result: 1 Operations error
>>> text: acl_read: cannot get descriptor of automountMapName=...
>>>
>>> weird? how do I add acls?
>>>
>>> The following shows the whole directory as expected... but I need ldap
>>> to work for autofs!
>>>
>>> ldbsearch -H /usr/local/samba/private/sam.ldb
>>>
>>> So can someone tell me how to get acls added for my objects?
>>>
>>>
>>>
>>>
>>> Samba version: 4.1.0pre1-GIT-94f11e9
>>> Build environment:
>>> Build host: Linux crawford 2.6.32-279.19.1.el6.x86_64 #1 SMP Wed Dec
>>> 19 07:05:20 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
>>>
>>>
>>>
>>>
>>>
>>
>
More information about the samba
mailing list