[Samba] Moving LDAP tree
syzop at vulnscan.org
Wed Feb 19 16:16:40 MST 2014
I posted earlier to the samba-technical list, asking how to change the
source to reflect my Windows 2003 setup, which apparently uses a different
place to store DNS entries. But it's probably better to just move that part
of the LDAP tree to where Samba expects it, so that's what I'm attempting
now. (the original thread is at the end of this mail for reference)
I would like to move the contents of:
How I do this? I'm using Samba 4.1.4 by the way.
This is what I already have tried:
I first tried copying by dumping the contents with ldapsearch, mass search &
replace, then ldapadd, but due to the order of the dn's in the file this
does not work. Child objects exist before parent objects and this raises the
Cannot add [..], parent does not exist!
Due to the number of entries manually reordering the entries is not
feasible. I didn't find any ldapsearch option either to sort the result in a
way that parent objects come before child objects, strange.
I then tried 3 ldap editors to move the item:
* Apache Directory Studio: when selecting 'Move..' no dialog box pops up
* LDAPAdmin (from ldapadmin.org): This triggers 00002035: replmd_add: it's
not allowed to add an object with objectGUID!
* phpLDAPAdmin: Triggers an 'Server is unwilling to perform'
At this point I'm rather stuck.
Bram Matthys wrote, on 17-2-2014 22:09:
> Subject: Re: Cannot manage DNS through Windows ADUC or samba-tool
> I recently migrated from Windows 2003 + 2008 R2 to Samba 4 (and ditched the
> Windows servers). Unfortunately managing DNS from Windows doesn't seem to be
> working, and neither does samba-tool dns serverinfo 127.0.0.1 work:
> ERROR(runtime): uncaught exception - (9717, 'WERR_DNS_ERROR_DS_UNAVAILABLE')
> Just to be clear: DNS itself is working fine, I can ping my workstation from
> my server by name, etc.
> I found this post, which seems to find the source of the problem:
>> On Wed, Apr 25, 2012 at 5:35 AM, Greg Dickie <greg at justaguy.ca> wrote:
>>> Hi Amitay,
>>> I think I may have figured this out. My AD started out as a 2003 SBS
>>> system so the schemas are a bit different. Looking in the rpcdce code
>>> for DNS I see that dnsserver_init_serverinfo
>>> (rpc_server/dnsserver/dnsutils.c ) is called and starts looking for
>>> My schema does not have that, the closest I could find is something that
>>> looks like this:
> I think I have the same setup.
> In CN=MicrosoftDNS,DC=DomainDnsZones,DC=COMPANY,DC=NET I only have
> My DNS zones are under CN=MicrosoftDNS,CN=System,DC=COMPANY,DC=NET
> With host entries like:
> In this post Amitay suggests:
>> The older versions of window server (2003 and older) created the DNS
>> containers under CN=System in the domain partition, whereas the newer
>> windows server (2008+) creates separate application partitions for
>> DNS. DNS RPC server uses DNS partitions to store the DNS zone
>> information. But for querying purposes, dlz_bind9 module and internal
>> DNS server both can read records from CN=System in domain partition.
>> DNS RPC server can be easily modified to support CN=System for DNS
>> information. Patches are welcome! ;-)
> Did such a patch fail to get in (yet)?
> I use samba 4.1.4 with it's internal DNS server.
> I checked dnsserver_init_serverinfo in
> source4/rpc_server/dnsserver/dnsutils.c and if I read the code well then
> this is all good:
> serverinfo->pszDsContainer = talloc_asprintf(mem_ctx,
> "CN=MicrosoftDNS,DC=DomainDnsZones,%s", ldb_dn_get_linearized(domain_dn));
> But later in the code it shows:
> serverinfo->pszDomainDirectoryPartition = talloc_asprintf(mem_ctx,
> "DC=DomainDnsZones,%s", ldb_dn_get_linearized(domain_dn));
> serverinfo->pszForestDirectoryPartition = talloc_asprintf(mem_ctx,
> "DC=ForestDnsZones,%s", ldb_dn_get_linearized(forest_dn));
> Is this the part I should get rid of or change?
Software developer/IT consultant syzop at vulnscan.org
PGP key: www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6
More information about the samba