[Samba] RFC2307 attributes not being read by DC2 in 4.2.1

Fred Smith fs582087 at gmail.com
Wed Apr 22 19:48:22 MDT 2015 

Hi all

On latest samba 4.2.1 I have provisioned a new domain on DC1 that
successfully reads RFC2307 attributes set on a user account through
ADUC.

wbinfo (correct uid gets resolved from sid)

wbinfo -n fsmith
S-1-5-21-1273750850-484487853-1026460749-1120 SID_USER (1)
wbinfo -S S-1-5-21-1273750850-484487853-1026460749-1120
1000006


ldbsearch

sudo ldbsearch -H '/usr/local/samba/private/sam.ldb' -b
'DC=samdom,DC=example,DC=org' -s sub
'(&(objectCategory=Person)(CN=Fred Smith))'
# record 1
dn: CN=Fred Smith,CN=Users,DC=samdom,DC=example,DC=org
cn: Fred Smith
sn: Smith
givenName: Fred
instanceType: 4
whenCreated: 20150422234928.0Z
displayName: Fred Smith
uSNCreated: 4558
name: Fred Smith
objectGUID: 7b49274a-9ac9-48bd-9af7-e51e8ea17c9a
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
profilePath: %LOGONSERVER%\profiles\%USERNAME%
objectSid: S-1-5-21-1273750850-484487853-1026460749-1120
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: fsmith
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=org
uid: fsmith
uidNumber: 1000006
gidNumber: 50023
loginShell: /bin/false
objectClass: top
objectClass: posixAccount
objectClass: person
objectClass: organizationalPerson
objectClass: user
pwdLastSet: 130742201680000000
userAccountControl: 512
msSFU30NisDomain: samdom
unixHomeDirectory: /dev/null
msSFU30Name: fsmith
unixUserPassword: ABCD!efgh12345$67890
userPrincipalName: fsmith at samdom.example.org
whenChanged: 20150422234929.0Z
uSNChanged: 4565
distinguishedName: CN=Fred Smith,CN=Users,DC=samdom,DC=example,DC=org


provision domain command

sudo samba-tool domain provision --use-rfc2307 --site="DC1" --interactive

Realm: SAMDOM.EXAMPLE.ORG
Domain: SAMDOM
Server Role: dc
DNS backend: BIND9_DLZ


DC1 smb.conf

cat /usr/local/samba/etc/smb.conf
# Global parameters
[global]
        workgroup = SAMDOM
        realm = SAMDOM.EXAMPLE.ORG
        netbios name = DC1
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
        idmap_ldb:use rfc2307 = yes

        # Disable printing
        printcap name = /dev/null
        load printers = no
        printing = bsd

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/samdom.example.org/scripts
        read only = No
        browseable = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No
        browseable = No






But when I join DC2 to the domain and attempt to retrieve RFC2307
attributes they don't get read.


wbinfo (wrong uid gets resolved from sid)

wbinfo -n fsmith
S-1-5-21-1273750850-484487853-1026460749-1120 SID_USER (1)
wbinfo -S S-1-5-21-1273750850-484487853-1026460749-1120
3000017


ldbsearch

sudo ldbsearch -H '/usr/local/samba/private/sam.ldb' -b
'DC=samdom,DC=example,DC=org' -s sub
'(&(objectCategory=Person)(CN=Fred Smith))'
# record 1
dn: CN=Fred Smith,CN=Users,DC=samdom,DC=example,DC=org
objectClass: top
objectClass: posixAccount
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Fred Smith
sn: Smith
givenName: Fred
instanceType: 4
whenCreated: 20150422234928.0Z
whenChanged: 20150422234929.0Z
displayName: Fred Smith
uSNCreated: 4494
uSNChanged: 4494
name: Fred Smith
objectGUID: 7b49274a-9ac9-48bd-9af7-e51e8ea17c9a
userAccountControl: 512
codePage: 0
countryCode: 0
pwdLastSet: 130742201680000000
primaryGroupID: 513
profilePath: %LOGONSERVER%\profiles\%USERNAME%
objectSid: S-1-5-21-1273750850-484487853-1026460749-1120
accountExpires: 9223372036854775807
sAMAccountName: fsmith
sAMAccountType: 805306368
userPrincipalName: fsmith at example.org
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=org
unixUserPassword: ABCD!efgh12345$67890
uid: fsmith
msSFU30Name: fsmith
msSFU30NisDomain: samdom
uidNumber: 1000006
gidNumber: 50023
unixHomeDirectory: /dev/null
loginShell: /bin/false
distinguishedName: CN=Fred Smith,CN=Users,DC=samdom,DC=example,DC=org


join domain command

sudo samba-tool domain join samdom.example.org DC -UAdministrator
--realm=samdom.example.org --site=DC2 --dns-backend=BIND9_DLZ



DC2 smb.conf

cat /usr/local/samba/etc/smb.conf
# Global parameters
[global]
        workgroup = SAMDOM
        realm = samdom.example.org
        netbios name = DC2
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
        idmap_ldb:use rfc2307 # Added manually after join domain

        # Disable printing
        printcap name = /dev/null
        load printers = no
        printing = bsd

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/samdom.example.org/scripts
        read only = No
        browseable = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No
        browseable = No

Reading RFC2307 attributes on DC2 worked well using the same
configuration on samba 4.1.x.

Thanks

Fred.

More information about the samba mailing list