[Samba] Samba 4 Consistent uid gid mapping across servers.
Gints Neimanis
gintsn at gmail.com
Tue Oct 22 06:55:58 MDT 2013
On 10/22/2013 11:51 AM, Rowland Penny wrote:
> On 22/10/13 07:04, Gints Neimanis wrote:
>> On 10/22/2013 02:02 AM, steve wrote:
>>> On Mon, 2013-10-21 at 20:05 +0100, Rowland Penny wrote:
>>>> hi, just a thought, did you join the initial Samba 4 server as a
>>>> second DC
>>>> to the windows 2003 server? and if so was it a 2003 or a 2003R2
>>>> server?
>>>> If it was just a 2003 server and did not have SFU added to it, then
>>>> you
>>>> probably do not have the required ObjectClasses & Attributes in
>>>> your schema.
>>>>
>>>> Rowland
>>>>
>>> Hi
>>> That could be it. The OP's ldif for adding the uidNumber is fine, but
>>> the schema wants none of it. The schema that ships with Samba4 works
>>> fine _if that is the first DC in the domain_. As Rowland says, this is
>>> likely caused by the Samba4 DC being joined to an existing domain based
>>> on 2003 or before. The only difference between our (working) ldif is
>>> that we are adding to CN=Users, not an OU.
>> Yes. Samba4 was second DC on Win2003 AD, then I transferred all roles
>> to Samba4 and removed Win2003 DC's. Windows DC was without SFU.
>>
>> Is there any directions, how to add necessary schemas to Samba4?
>>
>> Gints
>>
>>>> On 21 October 2013 13:57, Gints Neimanis <gintsn at gmail.com> wrote:
>>>>
>>>>> On 10/19/2013 10:58 AM, steve wrote:
>>>>>
>>>>>> On Fri, 2013-10-18 at 18:09 -0600, Wayne L. Andersen wrote:
>>>>>>
>>>>>>> ...
>>>>>>>
>>>>>>> My question is, that since I did not specify rfc2307 when I
>>>>>>> originally
>>>>>>> provisioned the domain what is going to be the effect if I try
>>>>>>> to use it
>>>>>>> after the fact.
>>>>>>>
>>>>>> No problem. You can use the full set of rfc2307 attributes perfectly
>>>>>> well without it.
>>>>>>
>>>>>>> ...
>>>>>>>
>>>>>> Not a big deal. You can use wbinfo -i to pull the info fr
>>>>>> uidNumber and
>>>>>> gidNumber and ldbmodify. But be warned: do this on a _single_ DC and
>>>>>> add:
>>>>>> idmap_ldb use:rfc2307 = Yes
>>>>>> to smb.conf to all your DC's afterwards.
>>>>>>
>>>>> Can you please from this point give some more detailed steps?
>>>>>
>>>>> I have already migrated W2K3 AD -> Samba 4.0.7 -> Samba 4.1.0
>>>>>
>>>>> Now I wish to add uidNumber attribute to user object:
>>>>>
>>>>> 1) I have added idmap_ldb use:rfc2307 = Yes to smb.conf and
>>>>> restarted samba
>>>>>
>>>>> 2) prepared file ldbm.ldif with content:
>>>>> ==
>>>>> dn: CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv
>>>>> changetype: modify
>>>>> add: uidNumber
>>>>> uidNumber: 300999
>>>>> ==
>>>>>
>>>>> 3) ldbmodify -H /usr/local/samba/private/sam.**ldb ldbm.ldif
>>>>> .. and got:
>>>>>
>>>>> ERR: (No such attribute) "objectclass_attrs: attribute 'uidNumber' on
>>>>> entry 'CN=janis.ozols,OU=2009,DC=**xyz,DC=abc,DC=lv' was not found
>>>>> in the
>>>>> schema!" on DN CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv at block
>>>>> before line 5
>>>>> Modify failed after processing 0 records
>>>>>
>>>>> .. tried to add uidNumber with ldbedit -H
>>>>> /usr/local/samba/private/sam.**ldb
>>>>> sAMAccountName=janis.ozols
>>>>>
>>>>> ... and got:
>>>>>
>>>>> failed to modify CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv -
>>>>> objectclass_attrs: attribute 'uidNumber' on entry
>>>>> 'CN=janis.ozols,OU=2009,DC=**xyz,DC=abc,DC=lv' was not found in the
>>>>> schema!
>>>>>
>>>>> Then I tried to add posixAccount class bit without success:
>>>>>
>>>>> # cat ldbm.ldif
>>>>> dn: CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv
>>>>> changetype: modify
>>>>> add: objectClass
>>>>> objectClass: posixAccount
>>>>>
>>>>> ldbmodify -H /usr/local/samba/private/sam.**ldb ldbm.ldif
>>>>>
>>>>> ../source4/dsdb/common/util.c:**3130: WARNING: forestFunctionality
>>>>> not
>>>>> setup
>>>>> ERR: (Unwilling to perform) "objectclass: object class changes on
>>>>> objects
>>>>> under the standard name contexts not allowed!" on DN
>>>>> CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv at block before line 8
>>>>> Modify failed after processing 0 records
>>>>>
>>>>> (don't know if it is related but:
>>>>> # samba-tool domain level raise --domain-level=2003
>>>>> ERROR: Could not retrieve the actual domain, forest level and/or
>>>>> lowest DC
>>>>> function level! )
>>>>>
>>>>>
>>>>> current entries for this user are:
>>>>>
>>>>> ====
>>>>> dn: CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv
>>>>> objectClass: top
>>>>> objectClass: person
>>>>> objectClass: organizationalPerson
>>>>> objectClass: user
>>>>> cn: janis.ozols
>>>>> sn: Janis
>>>>> description: tst
>>>>> givenName: ozols
>>>>> instanceType: 4
>>>>> whenCreated: 20130809130646.0Z
>>>>> whenChanged: 20130809130646.0Z
>>>>> displayName: ozols Janis
>>>>> uSNCreated: 7575
>>>>> name: janis.ozols
>>>>> objectGUID: 05af67f7-c5e0-439c-9cae-**cfe667cf19ea
>>>>> badPwdCount: 0
>>>>> codePage: 0
>>>>> countryCode: 0
>>>>> homeDirectory: \\server\janis.ozols
>>>>> homeDrive: G:
>>>>> badPasswordTime: 0
>>>>> lastLogoff: 0
>>>>> lastLogon: 0
>>>>> scriptPath: all.bat
>>>>> primaryGroupID: 513
>>>>> profilePath: \\server\PROFILE\janis.ozols
>>>>> objectSid: S-1-5-21-2016371725-**1493893514-1541874228-20143
>>>>> accountExpires: 9223372036854775807
>>>>> logonCount: 0
>>>>> sAMAccountName: janis.ozols
>>>>> sAMAccountType: 805306368
>>>>> userPrincipalName: janis.ozols at xyz.abc.lv
>>>>> objectCategory:
>>>>> CN=Person,CN=Schema,CN=**Configuration,DC=xyz,DC=abc,**
>>>>> DC=lv
>>>>> pwdLastSet: 130205272060000000
>>>>> userAccountControl: 512
>>>>> uSNChanged: 7577
>>>>> distinguishedName: CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv
>>>>> ====
>>>>>
>>>>> Gints.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions:
>>>>> https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>>>>>
>>>
>>
> Hi, First we need to make sure that the lack of the required
> objectclasses & attributes is the problem, run this on the server:
>
> ldbsearch --url=/usr/local/samba/private/sam.ldb -b
> "CN=Schema,CN=Configuration,DC=example,DC=com" > /root/schema.ldif
>
> Replacing 'DC=example,DC=com' with your variant of it, this also
> supposes that sam.ldb is actually in '/usr/local/samba/private'
>
> After running the command, open '/root/schema.ldif' in your favourite
> editor and search for ' CN=PosixAccount' . If it cannot be found then
> this is your problem, as a further check, I got 1550 entries on a
> newly provisioned ADDC.
>
> Rowland
Hi,
Thank for your attention!
I'n dont't have any PosixAccount , only dn:
CN=Trust-Posix-Offset,CN=Schema,CN=Configuration,DC=...
I already tried to add PossixAccount to user object, but without success.
# cat ldbm.ldif
dn: CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv
changetype: modify
add: objectClass
objectClass: posixAccount
ldbmodify -H /usr/local/samba/private/sam.**ldb ldbm.ldif
../source4/dsdb/common/util.c:**3130: WARNING: forestFunctionality not
setup
ERR: (Unwilling to perform) "objectclass: object class changes on objects
under the standard name contexts not allowed!" on DN
CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv at block before line 8
Modify failed after processing 0 records
I will be very pleased, if there are some directions how to extend
schema with necessary data.
Gints
More information about the samba
mailing list