[Samba] samba-tool group add omits RFC2307 attributes (4.0.9 as AD DC)

Trent W. Buck trentbuck at gmail.com
Sun Oct 27 17:55:20 MDT 2013

After a classicupgrade, I noticed some users and many groups were
missing from samba4, that had been in samba3's LDAP.

"No problem," I thought.  "I'll just 'samba-tool group add' them."

Except that groups created that was don't have things like gidNumber and
objectClass: posixGroup, which means that nss_ldapd can't see them.

Can I tell samba-tool to manage RFC2307 attributes as well as AD
attributes?  I can't find anything relevant in smb.conf(5) manpage.

I wouldn't even care about this, but nss_winbind sees fewer accounts
than wbinfo which in turn sees fewer accounts than samba-tool!  So I
gave up and fell back to nss-ldapd, thinking I was saved -- but now it
seems workaround only works for classicupgraded accounts, not new ones.

I also thought about telling nslcd.conf to turn the SIDs into posix UIDs
and GIDs on its own, but I can't see how to do that.  The AD schema
appears to store objectSid as a binary attr.  I'm not even sure how to
dump the ad schema as I would have examined cn=config in OpenLDAP.

More information about the samba mailing list