[Samba] samba-tool group add omits RFC2307 attributes (4.0.9 as AD DC)
steve
steve at steve-ss.com
Mon Oct 28 00:39:24 MDT 2013
On Mon, 2013-10-28 at 10:55 +1100, Trent W. Buck wrote:
> After a classicupgrade, I noticed some users and many groups were
> missing from samba4, that had been in samba3's LDAP.
>
> "No problem," I thought. "I'll just 'samba-tool group add' them."
>
> Except that groups created that was don't have things like gidNumber and
> objectClass: posixGroup, which means that nss_ldapd can't see them.
>
> Can I tell samba-tool to manage RFC2307 attributes as well as AD
> attributes?
Not with 4.0.9. You need 4.1 to be able to do that with samba-tool. With
4.1:
samba-tool group create --help
will get you a list of rfc2307 syntax.
> I can't find anything relevant in smb.conf(5) manpage.
>
> I wouldn't even care about this, but nss_winbind sees fewer accounts
> than wbinfo which in turn sees fewer accounts than samba-tool! So I
> gave up and fell back to nss-ldapd, thinking I was saved -- but now it
> seems workaround only works for classicupgraded accounts, not new ones.
>
classicupgrade accounts that had gidNumber will retain it. New groups do
not have the gidNumber added. You can easily add it yourself using
ldbmodify immediately after the group is created. For the Samba4 schema,
you do not need to add the posixGroup class.
> I also thought about telling nslcd.conf to turn the SIDs into posix UIDs
> and GIDs on its own, but I can't see how to do that. The AD schema
> appears to store objectSid as a binary attr. I'm not even sure how to
> dump the ad schema as I would have examined cn=config in OpenLDAP.
There is a copy of the schema at:
YOURSAMBADIR/share/setup/ad-schema
If you want everything to just work, I'd suggest sssd v1.10 or newer
which has a very good AD backend for stuff like you want.
HTH
Steve
More information about the samba
mailing list