[Samba] Samba 4 Consistent uid gid mapping across servers.

Gints Neimanis gintsn at gmail.com
Tue Oct 22 07:43:12 MDT 2013


On 10/22/2013 04:20 PM, Rowland Penny wrote:
> On 22/10/13 13:55, Gints Neimanis wrote:
>> On 10/22/2013 11:51 AM, Rowland Penny wrote:
>>> On 22/10/13 07:04, Gints Neimanis wrote:
>>>> On 10/22/2013 02:02 AM, steve wrote:
>>>>> On Mon, 2013-10-21 at 20:05 +0100, Rowland Penny wrote:
>>>>>> hi, just a thought, did you join the initial Samba 4 server as a 
>>>>>> second DC
>>>>>> to the windows 2003 server? and if so was it a 2003 or a 2003R2 
>>>>>> server?
>>>>>> If it was just a 2003 server and did not have SFU added to it, 
>>>>>> then you
>>>>>> probably do not have the required ObjectClasses & Attributes in 
>>>>>> your schema.
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>> Hi
>>>>> That could be it. The OP's ldif for adding the uidNumber is fine, but
>>>>> the schema wants none of it. The schema that ships with Samba4 works
>>>>> fine _if that is the first DC in the domain_. As Rowland says, 
>>>>> this is
>>>>> likely caused by the Samba4 DC being joined to an existing domain 
>>>>> based
>>>>> on 2003 or before. The only difference between our (working) ldif is
>>>>> that we are adding to CN=Users, not an OU.
>>>> Yes. Samba4 was second DC on Win2003 AD, then I transferred all 
>>>> roles to Samba4 and removed Win2003 DC's. Windows DC was without SFU.
>>>>
>>>> Is there any directions, how to add necessary schemas to Samba4?
>>>>
>>>> Gints
>>>>
>>>>>> On 21 October 2013 13:57, Gints Neimanis <gintsn at gmail.com> wrote:
>>>>>>
>>>>>>> On 10/19/2013 10:58 AM, steve wrote:
>>>>>>>
>>>>>>>> On Fri, 2013-10-18 at 18:09 -0600, Wayne L. Andersen wrote:
>>>>>>>>
>>>>>>>>>   ...
>>>>>>>>>
>>>>>>>>> My question is, that since I did not specify rfc2307 when I 
>>>>>>>>> originally
>>>>>>>>> provisioned the domain what is going to be the effect if I try 
>>>>>>>>> to use it
>>>>>>>>> after the fact.
>>>>>>>>>
>>>>>>>> No problem. You can use the full set of rfc2307 attributes 
>>>>>>>> perfectly
>>>>>>>> well without it.
>>>>>>>>
>>>>>>>>> ...
>>>>>>>>>
>>>>>>>> Not a big deal. You can use wbinfo -i to pull the info fr 
>>>>>>>> uidNumber and
>>>>>>>> gidNumber and ldbmodify. But be warned: do this on a _single_ 
>>>>>>>> DC and
>>>>>>>> add:
>>>>>>>> idmap_ldb use:rfc2307 = Yes
>>>>>>>> to smb.conf to all your DC's afterwards.
>>>>>>>>
>>>>>>> Can you please from this point give some more detailed steps?
>>>>>>>
>>>>>>> I have already migrated W2K3 AD -> Samba 4.0.7 -> Samba 4.1.0
>>>>>>>
>>>>>>> Now I wish to add uidNumber attribute to user object:
>>>>>>>
>>>>>>> 1) I have added idmap_ldb use:rfc2307 = Yes to smb.conf and 
>>>>>>> restarted samba
>>>>>>>
>>>>>>> 2) prepared file  ldbm.ldif with content:
>>>>>>> ==
>>>>>>> dn: CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv
>>>>>>> changetype: modify
>>>>>>> add: uidNumber
>>>>>>> uidNumber: 300999
>>>>>>> ==
>>>>>>>
>>>>>>> 3) ldbmodify -H /usr/local/samba/private/sam.**ldb ldbm.ldif
>>>>>>> .. and got:
>>>>>>>
>>>>>>> ERR: (No such attribute) "objectclass_attrs: attribute 
>>>>>>> 'uidNumber' on
>>>>>>> entry 'CN=janis.ozols,OU=2009,DC=**xyz,DC=abc,DC=lv' was not 
>>>>>>> found in the
>>>>>>> schema!" on DN CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv at 
>>>>>>> block
>>>>>>> before line 5
>>>>>>> Modify failed after processing 0 records
>>>>>>>
>>>>>>> .. tried to add uidNumber with ldbedit  -H 
>>>>>>> /usr/local/samba/private/sam.**ldb
>>>>>>> sAMAccountName=janis.ozols
>>>>>>>
>>>>>>> ... and got:
>>>>>>>
>>>>>>> failed to modify CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv -
>>>>>>> objectclass_attrs: attribute 'uidNumber' on entry
>>>>>>> 'CN=janis.ozols,OU=2009,DC=**xyz,DC=abc,DC=lv' was not found in the
>>>>>>> schema!
>>>>>>>
>>>>>>> Then I tried to add posixAccount class bit without success:
>>>>>>>
>>>>>>> # cat ldbm.ldif
>>>>>>> dn: CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv
>>>>>>> changetype: modify
>>>>>>> add: objectClass
>>>>>>> objectClass: posixAccount
>>>>>>>
>>>>>>> ldbmodify -H /usr/local/samba/private/sam.**ldb ldbm.ldif
>>>>>>>
>>>>>>> ../source4/dsdb/common/util.c:**3130: WARNING: 
>>>>>>> forestFunctionality not
>>>>>>> setup
>>>>>>> ERR: (Unwilling to perform) "objectclass: object class changes 
>>>>>>> on objects
>>>>>>> under the standard name contexts not allowed!" on DN
>>>>>>> CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv at block before line 8
>>>>>>> Modify failed after processing 0 records
>>>>>>>
>>>>>>> (don't know if it is related but:
>>>>>>> # samba-tool domain level raise --domain-level=2003
>>>>>>> ERROR: Could not retrieve the actual domain, forest level and/or 
>>>>>>> lowest DC
>>>>>>> function level! )
>>>>>>>
>>>>>>>
>>>>>>> current entries for this user are:
>>>>>>>
>>>>>>> ====
>>>>>>> dn: CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv
>>>>>>> objectClass: top
>>>>>>> objectClass: person
>>>>>>> objectClass: organizationalPerson
>>>>>>> objectClass: user
>>>>>>> cn: janis.ozols
>>>>>>> sn: Janis
>>>>>>> description: tst
>>>>>>> givenName: ozols
>>>>>>> instanceType: 4
>>>>>>> whenCreated: 20130809130646.0Z
>>>>>>> whenChanged: 20130809130646.0Z
>>>>>>> displayName: ozols Janis
>>>>>>> uSNCreated: 7575
>>>>>>> name: janis.ozols
>>>>>>> objectGUID: 05af67f7-c5e0-439c-9cae-**cfe667cf19ea
>>>>>>> badPwdCount: 0
>>>>>>> codePage: 0
>>>>>>> countryCode: 0
>>>>>>> homeDirectory: \\server\janis.ozols
>>>>>>> homeDrive: G:
>>>>>>> badPasswordTime: 0
>>>>>>> lastLogoff: 0
>>>>>>> lastLogon: 0
>>>>>>> scriptPath: all.bat
>>>>>>> primaryGroupID: 513
>>>>>>> profilePath: \\server\PROFILE\janis.ozols
>>>>>>> objectSid: S-1-5-21-2016371725-**1493893514-1541874228-20143
>>>>>>> accountExpires: 9223372036854775807
>>>>>>> logonCount: 0
>>>>>>> sAMAccountName: janis.ozols
>>>>>>> sAMAccountType: 805306368
>>>>>>> userPrincipalName: janis.ozols at xyz.abc.lv
>>>>>>> objectCategory: 
>>>>>>> CN=Person,CN=Schema,CN=**Configuration,DC=xyz,DC=abc,**
>>>>>>> DC=lv
>>>>>>> pwdLastSet: 130205272060000000
>>>>>>> userAccountControl: 512
>>>>>>> uSNChanged: 7577
>>>>>>> distinguishedName: CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv
>>>>>>> ====
>>>>>>>
>>>>>>> Gints.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> -- 
>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>> instructions: 
>>>>>>> https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>>>>>>>
>>>>>
>>>>
>>> Hi, First we need to make sure that the lack of the required 
>>> objectclasses & attributes is the problem, run this on the server:
>>>
>>> ldbsearch --url=/usr/local/samba/private/sam.ldb -b 
>>> "CN=Schema,CN=Configuration,DC=example,DC=com" > /root/schema.ldif
>>>
>>> Replacing 'DC=example,DC=com' with your variant of it, this also 
>>> supposes that sam.ldb is actually in '/usr/local/samba/private'
>>>
>>> After running the command, open '/root/schema.ldif' in your 
>>> favourite editor and search for ' CN=PosixAccount' . If it cannot be 
>>> found then this is your problem, as a further check, I got 1550 
>>> entries on a newly provisioned ADDC.
>>>
>>> Rowland
>>
>> Hi,
>>
>> Thank for your attention!
>>
>> I'n dont't have any PosixAccount , only dn: 
>> CN=Trust-Posix-Offset,CN=Schema,CN=Configuration,DC=...
>>
>> I already tried to add PossixAccount to user object, but without 
>> success.
>>
>> # cat ldbm.ldif
>> dn: CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv
>> changetype: modify
>> add: objectClass
>> objectClass: posixAccount
>>
>> ldbmodify -H /usr/local/samba/private/sam.**ldb ldbm.ldif
>>
>> ../source4/dsdb/common/util.c:**3130: WARNING: forestFunctionality not
>> setup
>> ERR: (Unwilling to perform) "objectclass: object class changes on 
>> objects
>> under the standard name contexts not allowed!" on DN
>> CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv at block before line 8
>> Modify failed after processing 0 records
>>
>> I will be very pleased, if there are some directions how to extend 
>> schema with necessary data.
>>
>> Gints
>>
> Hi, did you run the command I posted and do you now have the file 
> 'schema.ldif' in /root ?

Yes
>
> If so, can you find 'CN=PosixAccount,CN=Schema,CN=Configuration' in 
> the file ?

No
>
> You do not ever need to add the 'PosixAccount' & 'PosixGroup' 
> objectclasses to a container, they are auxiliary classes of 'User' and 
> windows never adds them.
>
> If, as it seems, you do not have the required SFU objectClasses & 
> Attributes, you now have a bit of work in front of you, unless 
> somebody else can help, I can only suggest that you compare my 
> schema.ldif with yours, remove what is in yours from mine and then add 
> what is left to your AD DC
>
> You will then need to add /usr/local/samba/share/setup/ypServ30.ldif

Thanks for your help. Then I will provision some clean Samba4 domain in 
test environment and  will compare schemas between migrated and clean 
domains. At least it will be more exciting job than migrate back to 
Windows2003(R2) add SFU and then back to samba4.

Best regards!
Gints


>
> I do not think that anybody has tried this yet, but if this a bad 
> idea, then I am sure that somebody will say so.
>
> Rowland



More information about the samba mailing list