[Samba] Samba 4 Consistent uid gid mapping across servers.
steve
steve at steve-ss.com
Mon Oct 21 17:02:54 MDT 2013
On Mon, 2013-10-21 at 20:05 +0100, Rowland Penny wrote:
> hi, just a thought, did you join the initial Samba 4 server as a second DC
> to the windows 2003 server? and if so was it a 2003 or a 2003R2 server?
> If it was just a 2003 server and did not have SFU added to it, then you
> probably do not have the required ObjectClasses & Attributes in your schema.
>
> Rowland
>
Hi
That could be it. The OP's ldif for adding the uidNumber is fine, but
the schema wants none of it. The schema that ships with Samba4 works
fine _if that is the first DC in the domain_. As Rowland says, this is
likely caused by the Samba4 DC being joined to an existing domain based
on 2003 or before. The only difference between our (working) ldif is
that we are adding to CN=Users, not an OU.
>
> On 21 October 2013 13:57, Gints Neimanis <gintsn at gmail.com> wrote:
>
> > On 10/19/2013 10:58 AM, steve wrote:
> >
> >> On Fri, 2013-10-18 at 18:09 -0600, Wayne L. Andersen wrote:
> >>
> >>> ...
> >>>
> >>> My question is, that since I did not specify rfc2307 when I originally
> >>> provisioned the domain what is going to be the effect if I try to use it
> >>> after the fact.
> >>>
> >>
> >> No problem. You can use the full set of rfc2307 attributes perfectly
> >> well without it.
> >>
> >>> ...
> >>>
> >> Not a big deal. You can use wbinfo -i to pull the info fr uidNumber and
> >> gidNumber and ldbmodify. But be warned: do this on a _single_ DC and
> >> add:
> >> idmap_ldb use:rfc2307 = Yes
> >> to smb.conf to all your DC's afterwards.
> >>
> >
> > Can you please from this point give some more detailed steps?
> >
> > I have already migrated W2K3 AD -> Samba 4.0.7 -> Samba 4.1.0
> >
> > Now I wish to add uidNumber attribute to user object:
> >
> > 1) I have added idmap_ldb use:rfc2307 = Yes to smb.conf and restarted samba
> >
> > 2) prepared file ldbm.ldif with content:
> > ==
> > dn: CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv
> > changetype: modify
> > add: uidNumber
> > uidNumber: 300999
> > ==
> >
> > 3) ldbmodify -H /usr/local/samba/private/sam.**ldb ldbm.ldif
> > .. and got:
> >
> > ERR: (No such attribute) "objectclass_attrs: attribute 'uidNumber' on
> > entry 'CN=janis.ozols,OU=2009,DC=**xyz,DC=abc,DC=lv' was not found in the
> > schema!" on DN CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv at block
> > before line 5
> > Modify failed after processing 0 records
> >
> > .. tried to add uidNumber with ldbedit -H /usr/local/samba/private/sam.**ldb
> > sAMAccountName=janis.ozols
> >
> > ... and got:
> >
> > failed to modify CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv -
> > objectclass_attrs: attribute 'uidNumber' on entry
> > 'CN=janis.ozols,OU=2009,DC=**xyz,DC=abc,DC=lv' was not found in the
> > schema!
> >
> > Then I tried to add posixAccount class bit without success:
> >
> > # cat ldbm.ldif
> > dn: CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv
> > changetype: modify
> > add: objectClass
> > objectClass: posixAccount
> >
> > ldbmodify -H /usr/local/samba/private/sam.**ldb ldbm.ldif
> >
> > ../source4/dsdb/common/util.c:**3130: WARNING: forestFunctionality not
> > setup
> > ERR: (Unwilling to perform) "objectclass: object class changes on objects
> > under the standard name contexts not allowed!" on DN
> > CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv at block before line 8
> > Modify failed after processing 0 records
> >
> > (don't know if it is related but:
> > # samba-tool domain level raise --domain-level=2003
> > ERROR: Could not retrieve the actual domain, forest level and/or lowest DC
> > function level! )
> >
> >
> > current entries for this user are:
> >
> > ====
> > dn: CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv
> > objectClass: top
> > objectClass: person
> > objectClass: organizationalPerson
> > objectClass: user
> > cn: janis.ozols
> > sn: Janis
> > description: tst
> > givenName: ozols
> > instanceType: 4
> > whenCreated: 20130809130646.0Z
> > whenChanged: 20130809130646.0Z
> > displayName: ozols Janis
> > uSNCreated: 7575
> > name: janis.ozols
> > objectGUID: 05af67f7-c5e0-439c-9cae-**cfe667cf19ea
> > badPwdCount: 0
> > codePage: 0
> > countryCode: 0
> > homeDirectory: \\server\janis.ozols
> > homeDrive: G:
> > badPasswordTime: 0
> > lastLogoff: 0
> > lastLogon: 0
> > scriptPath: all.bat
> > primaryGroupID: 513
> > profilePath: \\server\PROFILE\janis.ozols
> > objectSid: S-1-5-21-2016371725-**1493893514-1541874228-20143
> > accountExpires: 9223372036854775807
> > logonCount: 0
> > sAMAccountName: janis.ozols
> > sAMAccountType: 805306368
> > userPrincipalName: janis.ozols at xyz.abc.lv
> > objectCategory: CN=Person,CN=Schema,CN=**Configuration,DC=xyz,DC=abc,**
> > DC=lv
> > pwdLastSet: 130205272060000000
> > userAccountControl: 512
> > uSNChanged: 7577
> > distinguishedName: CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv
> > ====
> >
> > Gints.
> >
> >
> >
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba>
> >
More information about the samba
mailing list