[Samba] Samba 4 Consistent uid gid mapping across servers.

Rowland Penny rowlandpenny at googlemail.com
Tue Oct 22 07:56:54 MDT 2013 

On 22/10/13 14:43, Gints Neimanis wrote:
> On 10/22/2013 04:20 PM, Rowland Penny wrote:
>> On 22/10/13 13:55, Gints Neimanis wrote:
>>> On 10/22/2013 11:51 AM, Rowland Penny wrote:
>>>> On 22/10/13 07:04, Gints Neimanis wrote:
>>>>> On 10/22/2013 02:02 AM, steve wrote:
>>>>>> On Mon, 2013-10-21 at 20:05 +0100, Rowland Penny wrote:
>>>>>>> hi, just a thought, did you join the initial Samba 4 server as a 
>>>>>>> second DC
>>>>>>> to the windows 2003 server? and if so was it a 2003 or a 2003R2 
>>>>>>> server?
>>>>>>> If it was just a 2003 server and did not have SFU added to it, 
>>>>>>> then you
>>>>>>> probably do not have the required ObjectClasses & Attributes in 
>>>>>>> your schema.
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>> Hi
>>>>>> That could be it. The OP's ldif for adding the uidNumber is fine, 
>>>>>> but
>>>>>> the schema wants none of it. The schema that ships with Samba4 works
>>>>>> fine _if that is the first DC in the domain_. As Rowland says, 
>>>>>> this is
>>>>>> likely caused by the Samba4 DC being joined to an existing domain 
>>>>>> based
>>>>>> on 2003 or before. The only difference between our (working) ldif is
>>>>>> that we are adding to CN=Users, not an OU.
>>>>> Yes. Samba4 was second DC on Win2003 AD, then I transferred all 
>>>>> roles to Samba4 and removed Win2003 DC's. Windows DC was without SFU.
>>>>>
>>>>> Is there any directions, how to add necessary schemas to Samba4?
>>>>>
>>>>> Gints
>>>>>
>>>>>>> On 21 October 2013 13:57, Gints Neimanis <gintsn at gmail.com> wrote:
>>>>>>>
>>>>>>>> On 10/19/2013 10:58 AM, steve wrote:
>>>>>>>>
>>>>>>>>> On Fri, 2013-10-18 at 18:09 -0600, Wayne L. Andersen wrote:
>>>>>>>>>
>>>>>>>>>>   ...
>>>>>>>>>>
>>>>>>>>>> My question is, that since I did not specify rfc2307 when I 
>>>>>>>>>> originally
>>>>>>>>>> provisioned the domain what is going to be the effect if I 
>>>>>>>>>> try to use it
>>>>>>>>>> after the fact.
>>>>>>>>>>
>>>>>>>>> No problem. You can use the full set of rfc2307 attributes 
>>>>>>>>> perfectly
>>>>>>>>> well without it.
>>>>>>>>>
>>>>>>>>>> ...
>>>>>>>>>>
>>>>>>>>> Not a big deal. You can use wbinfo -i to pull the info fr 
>>>>>>>>> uidNumber and
>>>>>>>>> gidNumber and ldbmodify. But be warned: do this on a _single_ 
>>>>>>>>> DC and
>>>>>>>>> add:
>>>>>>>>> idmap_ldb use:rfc2307 = Yes
>>>>>>>>> to smb.conf to all your DC's afterwards.
>>>>>>>>>
>>>>>>>> Can you please from this point give some more detailed steps?
>>>>>>>>
>>>>>>>> I have already migrated W2K3 AD -> Samba 4.0.7 -> Samba 4.1.0
>>>>>>>>
>>>>>>>> Now I wish to add uidNumber attribute to user object:
>>>>>>>>
>>>>>>>> 1) I have added idmap_ldb use:rfc2307 = Yes to smb.conf and 
>>>>>>>> restarted samba
>>>>>>>>
>>>>>>>> 2) prepared file  ldbm.ldif with content:
>>>>>>>> ==
>>>>>>>> dn: CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv
>>>>>>>> changetype: modify
>>>>>>>> add: uidNumber
>>>>>>>> uidNumber: 300999
>>>>>>>> ==
>>>>>>>>
>>>>>>>> 3) ldbmodify -H /usr/local/samba/private/sam.**ldb ldbm.ldif
>>>>>>>> .. and got:
>>>>>>>>
>>>>>>>> ERR: (No such attribute) "objectclass_attrs: attribute 
>>>>>>>> 'uidNumber' on
>>>>>>>> entry 'CN=janis.ozols,OU=2009,DC=**xyz,DC=abc,DC=lv' was not 
>>>>>>>> found in the
>>>>>>>> schema!" on DN CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv at 
>>>>>>>> block
>>>>>>>> before line 5
>>>>>>>> Modify failed after processing 0 records
>>>>>>>>
>>>>>>>> .. tried to add uidNumber with ldbedit  -H 
>>>>>>>> /usr/local/samba/private/sam.**ldb
>>>>>>>> sAMAccountName=janis.ozols
>>>>>>>>
>>>>>>>> ... and got:
>>>>>>>>
>>>>>>>> failed to modify CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv -
>>>>>>>> objectclass_attrs: attribute 'uidNumber' on entry
>>>>>>>> 'CN=janis.ozols,OU=2009,DC=**xyz,DC=abc,DC=lv' was not found in 
>>>>>>>> the
>>>>>>>> schema!
>>>>>>>>
>>>>>>>> Then I tried to add posixAccount class bit without success:
>>>>>>>>
>>>>>>>> # cat ldbm.ldif
>>>>>>>> dn: CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv
>>>>>>>> changetype: modify
>>>>>>>> add: objectClass
>>>>>>>> objectClass: posixAccount
>>>>>>>>
>>>>>>>> ldbmodify -H /usr/local/samba/private/sam.**ldb ldbm.ldif
>>>>>>>>
>>>>>>>> ../source4/dsdb/common/util.c:**3130: WARNING: 
>>>>>>>> forestFunctionality not
>>>>>>>> setup
>>>>>>>> ERR: (Unwilling to perform) "objectclass: object class changes 
>>>>>>>> on objects
>>>>>>>> under the standard name contexts not allowed!" on DN
>>>>>>>> CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv at block before 
>>>>>>>> line 8
>>>>>>>> Modify failed after processing 0 records
>>>>>>>>
>>>>>>>> (don't know if it is related but:
>>>>>>>> # samba-tool domain level raise --domain-level=2003
>>>>>>>> ERROR: Could not retrieve the actual domain, forest level 
>>>>>>>> and/or lowest DC
>>>>>>>> function level! )
>>>>>>>>
>>>>>>>>
>>>>>>>> current entries for this user are:
>>>>>>>>
>>>>>>>> ====
>>>>>>>> dn: CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv
>>>>>>>> objectClass: top
>>>>>>>> objectClass: person
>>>>>>>> objectClass: organizationalPerson
>>>>>>>> objectClass: user
>>>>>>>> cn: janis.ozols
>>>>>>>> sn: Janis
>>>>>>>> description: tst
>>>>>>>> givenName: ozols
>>>>>>>> instanceType: 4
>>>>>>>> whenCreated: 20130809130646.0Z
>>>>>>>> whenChanged: 20130809130646.0Z
>>>>>>>> displayName: ozols Janis
>>>>>>>> uSNCreated: 7575
>>>>>>>> name: janis.ozols
>>>>>>>> objectGUID: 05af67f7-c5e0-439c-9cae-**cfe667cf19ea
>>>>>>>> badPwdCount: 0
>>>>>>>> codePage: 0
>>>>>>>> countryCode: 0
>>>>>>>> homeDirectory: \\server\janis.ozols
>>>>>>>> homeDrive: G:
>>>>>>>> badPasswordTime: 0
>>>>>>>> lastLogoff: 0
>>>>>>>> lastLogon: 0
>>>>>>>> scriptPath: all.bat
>>>>>>>> primaryGroupID: 513
>>>>>>>> profilePath: \\server\PROFILE\janis.ozols
>>>>>>>> objectSid: S-1-5-21-2016371725-**1493893514-1541874228-20143
>>>>>>>> accountExpires: 9223372036854775807
>>>>>>>> logonCount: 0
>>>>>>>> sAMAccountName: janis.ozols
>>>>>>>> sAMAccountType: 805306368
>>>>>>>> userPrincipalName: janis.ozols at xyz.abc.lv
>>>>>>>> objectCategory: 
>>>>>>>> CN=Person,CN=Schema,CN=**Configuration,DC=xyz,DC=abc,**
>>>>>>>> DC=lv
>>>>>>>> pwdLastSet: 130205272060000000
>>>>>>>> userAccountControl: 512
>>>>>>>> uSNChanged: 7577
>>>>>>>> distinguishedName: CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv
>>>>>>>> ====
>>>>>>>>
>>>>>>>> Gints.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> -- 
>>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>>> instructions: 
>>>>>>>> https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>>>>>>>>
>>>>>>
>>>>>
>>>> Hi, First we need to make sure that the lack of the required 
>>>> objectclasses & attributes is the problem, run this on the server:
>>>>
>>>> ldbsearch --url=/usr/local/samba/private/sam.ldb -b 
>>>> "CN=Schema,CN=Configuration,DC=example,DC=com" > /root/schema.ldif
>>>>
>>>> Replacing 'DC=example,DC=com' with your variant of it, this also 
>>>> supposes that sam.ldb is actually in '/usr/local/samba/private'
>>>>
>>>> After running the command, open '/root/schema.ldif' in your 
>>>> favourite editor and search for ' CN=PosixAccount' . If it cannot 
>>>> be found then this is your problem, as a further check, I got 1550 
>>>> entries on a newly provisioned ADDC.
>>>>
>>>> Rowland
>>>
>>> Hi,
>>>
>>> Thank for your attention!
>>>
>>> I'n dont't have any PosixAccount , only dn: 
>>> CN=Trust-Posix-Offset,CN=Schema,CN=Configuration,DC=...
>>>
>>> I already tried to add PossixAccount to user object, but without 
>>> success.
>>>
>>> # cat ldbm.ldif
>>> dn: CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv
>>> changetype: modify
>>> add: objectClass
>>> objectClass: posixAccount
>>>
>>> ldbmodify -H /usr/local/samba/private/sam.**ldb ldbm.ldif
>>>
>>> ../source4/dsdb/common/util.c:**3130: WARNING: forestFunctionality not
>>> setup
>>> ERR: (Unwilling to perform) "objectclass: object class changes on 
>>> objects
>>> under the standard name contexts not allowed!" on DN
>>> CN=janis.ozols,OU=2009,DC=xyz,**DC=abc,DC=lv at block before line 8
>>> Modify failed after processing 0 records
>>>
>>> I will be very pleased, if there are some directions how to extend 
>>> schema with necessary data.
>>>
>>> Gints
>>>
>> Hi, did you run the command I posted and do you now have the file 
>> 'schema.ldif' in /root ?
>
> Yes
>>
>> If so, can you find 'CN=PosixAccount,CN=Schema,CN=Configuration' in 
>> the file ?
>
> No
>>
>> You do not ever need to add the 'PosixAccount' & 'PosixGroup' 
>> objectclasses to a container, they are auxiliary classes of 'User' 
>> and windows never adds them.
>>
>> If, as it seems, you do not have the required SFU objectClasses & 
>> Attributes, you now have a bit of work in front of you, unless 
>> somebody else can help, I can only suggest that you compare my 
>> schema.ldif with yours, remove what is in yours from mine and then 
>> add what is left to your AD DC
>>
>> You will then need to add /usr/local/samba/share/setup/ypServ30.ldif
>
> Thanks for your help. Then I will provision some clean Samba4 domain 
> in test environment and  will compare schemas between migrated and 
> clean domains. At least it will be more exciting job than migrate back 
> to Windows2003(R2) add SFU and then back to samba4.

Windows 2003 didn't come with SFU, it had to be added, but windows 
2003R2 did, there is the difference. I personally do not find the very 
easy job of compiling and provisioning Samba 4.1 exciting ;-)

I think if you start from a new provision of Samba 4.1 ( using 
--use-rfc2307) then all of your problems will disapear.

Rowland

>
> Best regards!
> Gints
>
>
>>
>> I do not think that anybody has tried this yet, but if this a bad 
>> idea, then I am sure that somebody will say so.
>>
>> Rowland
>

More information about the samba mailing list