[Samba] samba-tool group add omits RFC2307 attributes (4.0.9 as AD DC)
rowlandpenny at googlemail.com
Fri Nov 15 14:06:16 MST 2013
On 15/11/13 20:46, Werthmuller, Derek wrote:
> I suspect that means that AD must use objectclass groupofNames ?
> Yea I don't know what is needed to provide the desired functionality.
No, AD uses the objectClass group, which has as an auxillary
'posixGroup'. This means that the AD objectClass group inherits all of
the 'posixGroup' attributes, this is why AD never adds the 'posixGroup'
So if you ever add users/groups with ADUC you will never get the posix
objectClasses, so this is why I think that no samba tool should add them
either, just think of the problems that could occur if you had some
users/groups created with ADUC and some created with a tool that added
the posix objectClasses, and then used another Linux tool that relied on
the posix objectClasses. No, it is better not to rely on the posix
objectClasses and then use tools that do not use them.
> -----Original Message-----
> From: Rowland Penny [mailto:rowlandpenny at googlemail.com]
> Sent: Friday, November 15, 2013 3:09 PM
> To: Werthmuller, Derek; samba at lists.samba.org
> Subject: Re: [Samba] samba-tool group add omits RFC2307 attributes (4.0.9 as AD DC)
> On 15/11/13 19:55, Werthmuller, Derek wrote:
>> I don't believe that the samba-tool allows you to manage group id's
>> (gid) the same as when you create new users. Like samba-tool user add
>> <username> --uid-number=5000 gid-number=5000
>> home-directory=/exports/users/<usersname> login-shell=/bin/bash
>> Would be great if you could do: /usr/bin/samba-tool group add
>> <groupname> gid-number=6000
>> Have seen references on the net about using ldapmodify to add/modify
>> the gid for a group created via samba-tool
>> -bash-4.1$ /usr/bin/samba-tool -V
>> bash-4.1$ /usr/bin/samba-tool group add -h
>> -h, --help show this help message and exit
>> -H URL, --URL=URL LDB URL for database or target server
>> --groupou=GROUPOU Alternative location (without domainDN counterpart) to
>> default CN=Users in which new user object will be
>> Group scope (Domain | Global | Universal)
>> Group type (Security | Distribution)
>> Group's description
>> Group's email address
>> --notes=NOTES Groups's notes
>> Samba Common Options:
>> -s FILE, --configfile=FILE
>> Configuration file
>> -d DEBUGLEVEL, --debuglevel=DEBUGLEVEL
>> debug level
>> --option=OPTION set smb.conf option from command line
>> --realm=REALM set the realm name
>> Credentials Options:
>> DN to use for a simple bind
>> -U USERNAME, --username=USERNAME
>> -W WORKGROUP, --workgroup=WORKGROUP
>> -N, --no-pass Don't ask for a password
>> -k KERBEROS, --kerberos=KERBEROS
>> Use Kerberos
>> IP address of server
>> Version Options:
>> -V, --version Display version number
>> -----Original Message-----
>> From: samba-bounces at lists.samba.org
>> [mailto:samba-bounces at lists.samba.org] On Behalf Of steve
>> Sent: Monday, October 28, 2013 2:39 AM
>> To: samba at lists.samba.org
>> Subject: Re: [Samba] samba-tool group add omits RFC2307 attributes
>> (4.0.9 as AD DC)
>> On Mon, 2013-10-28 at 10:55 +1100, Trent W. Buck wrote:
>>> After a classicupgrade, I noticed some users and many groups were
>>> missing from samba4, that had been in samba3's LDAP.
>>> "No problem," I thought. "I'll just 'samba-tool group add' them."
>>> Except that groups created that was don't have things like gidNumber
>>> objectClass: posixGroup, which means that nss_ldapd can't see them.
>>> Can I tell samba-tool to manage RFC2307 attributes as well as AD
>> Not with 4.0.9. You need 4.1 to be able to do that with samba-tool.
>> samba-tool group create --help
>> will get you a list of rfc2307 syntax.
>>> I can't find anything relevant in smb.conf(5) manpage.
>>> I wouldn't even care about this, but nss_winbind sees fewer accounts
>>> than wbinfo which in turn sees fewer accounts than samba-tool! So I
>>> gave up and fell back to nss-ldapd, thinking I was saved -- but now
>>> it seems workaround only works for classicupgraded accounts, not new ones.
>> classicupgrade accounts that had gidNumber will retain it. New groups do not have the gidNumber added. You can easily add it yourself using ldbmodify immediately after the group is created. For the Samba4 schema, you do not need to add the posixGroup class.
>>> I also thought about telling nslcd.conf to turn the SIDs into posix
>>> UIDs and GIDs on its own, but I can't see how to do that. The AD
>>> schema appears to store objectSid as a binary attr. I'm not even
>>> sure how to dump the ad schema as I would have examined cn=config in OpenLDAP.
>> There is a copy of the schema at:
>> If you want everything to just work, I'd suggest sssd v1.10 or newer which has a very good AD backend for stuff like you want.
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
> Hi, a guy called Stephane Purnelle has proposed a patch for samba-tool to do this, but I keep objecting to it because it also adds the posixGroup objectClass, windows never adds this, so I think that samba-tool shouldn't either, no one from the devs ever responds.
More information about the samba