[Samba] Samba 4 Consistent uid gid mapping across servers.

Rowland Penny rowlandpenny at googlemail.com
Tue Oct 22 02:51:24 MDT 2013 

On 22/10/13 07:04, Gints Neimanis wrote:
> On 10/22/2013 02:02 AM, steve wrote:
>> On Mon, 2013-10-21 at 20:05 +0100, Rowland Penny wrote:
>>> hi, just a thought, did you join the initial Samba 4 server as a 
>>> second DC
>>> to the windows 2003 server? and if so was it a 2003 or a 2003R2 server?
>>> If it was just a 2003 server and did not have SFU added to it, then you
>>> probably do not have the required ObjectClasses & Attributes in your 
>>> schema.
>>>
>>> Rowland
>>>
>> Hi
>> That could be it. The OP's ldif for adding the uidNumber is fine, but
>> the schema wants none of it. The schema that ships with Samba4 works
>> fine _if that is the first DC in the domain_. As Rowland says, this is
>> likely caused by the Samba4 DC being joined to an existing domain based
>> on 2003 or before. The only difference between our (working) ldif is
>> that we are adding to CN=Users, not an OU.
> Yes. Samba4 was second DC on Win2003 AD, then I transferred all roles 
> to Samba4 and removed Win2003 DC's. Windows DC was without SFU.
>
> Is there any directions, how to add necessary schemas to Samba4?
>
> Gints
>
>>> On 21 October 2013 13:57, Gints Neimanis <gintsn at gmail.com> wrote:
>>>
>>>> On 10/19/2013 10:58 AM, steve wrote:
>>>>
>>>>> On Fri, 2013-10-18 at 18:09 -0600, Wayne L. Andersen wrote:
>>>>>
>>>>>>   ...
>>>>>>
>>>>>> My question is, that since I did not specify rfc2307 when I 
>>>>>> originally
>>>>>> provisioned the domain what is going to be the effect if I try to 
>>>>>> use it
>>>>>> after the fact.
>>>>>>
>>>>> No problem. You can use the full set of rfc2307 attributes perfectly
>>>>> well without it.
>>>>>
>>>>>> ...
>>>>>>
>>>>> Not a big deal. You can use wbinfo -i to pull the info fr 
>>>>> uidNumber and
>>>>> gidNumber and ldbmodify. But be warned: do this on a _single_ DC and
>>>>> add:
>>>>> idmap_ldb use:rfc2307 = Yes
>>>>> to smb.conf to all your DC's afterwards.
>>>>>
>>>> Can you please from this point give some more detailed steps?
>>>>
>>>> I have already migrated W2K3 AD -> Samba 4.0.7 -> Samba 4.1.0
>>>>
>>>> Now I wish to add uidNumber attribute to user object:
>>>>
>>>> 1) I have added idmap_ldb use:rfc2307 = Yes to smb.conf and 
>>>> restarted samba
>>>>
>>>> 2) prepared file  ldbm.ldif with content:
>>>> ==
>>>> dn: CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv
>>>> changetype: modify
>>>> add: uidNumber
>>>> uidNumber: 300999
>>>> ==
>>>>
>>>> 3) ldbmodify -H /usr/local/samba/private/sam.**ldb ldbm.ldif
>>>> .. and got:
>>>>
>>>> ERR: (No such attribute) "objectclass_attrs: attribute 'uidNumber' on
>>>> entry 'CN=janis.ozols,OU=2009,DC=**xyz,DC=abc,DC=lv' was not found 
>>>> in the
>>>> schema!" on DN CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv at block
>>>> before line 5
>>>> Modify failed after processing 0 records
>>>>
>>>> .. tried to add uidNumber with ldbedit  -H 
>>>> /usr/local/samba/private/sam.**ldb
>>>> sAMAccountName=janis.ozols
>>>>
>>>> ... and got:
>>>>
>>>> failed to modify CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv -
>>>> objectclass_attrs: attribute 'uidNumber' on entry
>>>> 'CN=janis.ozols,OU=2009,DC=**xyz,DC=abc,DC=lv' was not found in the
>>>> schema!
>>>>
>>>> Then I tried to add posixAccount class bit without success:
>>>>
>>>> # cat ldbm.ldif
>>>> dn: CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv
>>>> changetype: modify
>>>> add: objectClass
>>>> objectClass: posixAccount
>>>>
>>>> ldbmodify -H /usr/local/samba/private/sam.**ldb ldbm.ldif
>>>>
>>>> ../source4/dsdb/common/util.c:**3130: WARNING: forestFunctionality not
>>>> setup
>>>> ERR: (Unwilling to perform) "objectclass: object class changes on 
>>>> objects
>>>> under the standard name contexts not allowed!" on DN
>>>> CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv at block before line 8
>>>> Modify failed after processing 0 records
>>>>
>>>> (don't know if it is related but:
>>>> # samba-tool domain level raise --domain-level=2003
>>>> ERROR: Could not retrieve the actual domain, forest level and/or 
>>>> lowest DC
>>>> function level! )
>>>>
>>>>
>>>> current entries for this user are:
>>>>
>>>> ====
>>>> dn: CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv
>>>> objectClass: top
>>>> objectClass: person
>>>> objectClass: organizationalPerson
>>>> objectClass: user
>>>> cn: janis.ozols
>>>> sn: Janis
>>>> description: tst
>>>> givenName: ozols
>>>> instanceType: 4
>>>> whenCreated: 20130809130646.0Z
>>>> whenChanged: 20130809130646.0Z
>>>> displayName: ozols Janis
>>>> uSNCreated: 7575
>>>> name: janis.ozols
>>>> objectGUID: 05af67f7-c5e0-439c-9cae-**cfe667cf19ea
>>>> badPwdCount: 0
>>>> codePage: 0
>>>> countryCode: 0
>>>> homeDirectory: \\server\janis.ozols
>>>> homeDrive: G:
>>>> badPasswordTime: 0
>>>> lastLogoff: 0
>>>> lastLogon: 0
>>>> scriptPath: all.bat
>>>> primaryGroupID: 513
>>>> profilePath: \\server\PROFILE\janis.ozols
>>>> objectSid: S-1-5-21-2016371725-**1493893514-1541874228-20143
>>>> accountExpires: 9223372036854775807
>>>> logonCount: 0
>>>> sAMAccountName: janis.ozols
>>>> sAMAccountType: 805306368
>>>> userPrincipalName: janis.ozols at xyz.abc.lv
>>>> objectCategory: 
>>>> CN=Person,CN=Schema,CN=**Configuration,DC=xyz,DC=abc,**
>>>> DC=lv
>>>> pwdLastSet: 130205272060000000
>>>> userAccountControl: 512
>>>> uSNChanged: 7577
>>>> distinguishedName: CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv
>>>> ====
>>>>
>>>> Gints.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: 
>>>> https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>>>>
>>
>
Hi, First we need to make sure that the lack of the required 
objectclasses & attributes is the problem, run this on the server:

ldbsearch --url=/usr/local/samba/private/sam.ldb -b 
"CN=Schema,CN=Configuration,DC=example,DC=com" > /root/schema.ldif

Replacing 'DC=example,DC=com' with your variant of it, this also 
supposes that sam.ldb is actually in '/usr/local/samba/private'

After running the command, open '/root/schema.ldif' in your favourite 
editor and search for ' CN=PosixAccount' . If it cannot be found then 
this is your problem, as a further check, I got 1550 entries on a newly 
provisioned ADDC.

Rowland

More information about the samba mailing list