[Samba] Samba 4 Active Directory Quotas

Rowland penny rpenny at samba.org
Wed Jan 27 10:14:09 UTC 2016 

On 27/01/16 07:49, Daniele Manfredi wrote:
> Good afternoon,
> I've this  issue: I have followed the instructions in this thread but, 
> when I try to add quota.ldif I receive this error:
>
> Unable to find attribute quota in the schema
>
> ERR: (Invalid attribute syntax) "objectclass_attrs: attribute 
> 'mayContain' on entry 
> 'CN=systemQuotas,CN=Schema,CN=Configuration,DC=my_domain,DC=it' 
> contains at least one invalid value!" on DN 
> CN=systemQuotas,CN=Schema,CN=Configuration,DC=my_domain,DC=it at block 
> before line 27
> Modify failed after processing 1 records
>
> > On 27/12/14 06:26, Greg Zartman wrote:
> >
> > > I've been messing around with disk quotas for users and have seen 
> some who
> >
> > > have extended the Samba 4 AD schema to include a quota attribute.  
> For
> >
> > > example, I found this schema extension here:
> >
> > > http://fossies.org/linux/quota/ldap-scripts/quota.schema
> >
> > >
> >
> > > Is there a common method for doing this?
> >
> > >
> >
> >
> >
> > Yes, samba4 comes with a script: oLschema2ldif
> >
> >
> >
> > To use this, you just need to create a file containing the schema on 
> the DC:
> >
> >
> >
> > root at dc01:~# nano quota.schema
> >
> >
> >
> > ##
> >
> > ## schema file for Unix Quotas
> >
> > ## Schema for storing Unix Quotas in LDAP
> >
> > ## OIDs are owned by Cogent Innovators, LLC
> >
> > ##
> >
> > ## 1.3.6.1.4.1.19937.1.1.x - attributetypes
> >
> > ## 1.3.6.1.4.1.19937.1.2.x - objectclasses
> >
> > ##
> >
> >
> >
> > attributetype ( 1.3.6.1.4.1.19937.1.1.1 NAME 'quota'
> >
> >      DESC 'Quotas 
> (FileSystem:BlocksSoft,BlocksHard,InodesSoft,InodesHard)'
> >
> >      EQUALITY caseIgnoreIA5Match
> >
> >      SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} )
> >
> >
> >
> > objectclass ( 1.3.6.1.4.1.19937.1.2.1 NAME 'systemQuotas' SUP
> >
> > posixAccount AUXILIARY
> >
> >      DESC 'System Quotas'
> >
> >      MUST ( uid )
> >
> >      MAY  ( quota ))
> >
> >
> >
> > Run this file through oLschema2ldif
> >
> >
> >
> > NOTE: the 'basedn' is your rootdse, -I is where the ldif is and what 
> you
> >
> > called it, -O is is where you want the new file to be created and what
> >
> > you want it to be called.
> >
> >
> >
> > root at dc01:~# oLschema2ldif --basedn=DC=example,DC=com -I
> >
> > /root/quota.schema -O /root/quota.ldif
> >
> >
> >
> > OK, first time through, you get an error:
> >
> >
> >
> > Invalid entry objectclass ( 1.3.6.1.4.1.19937.1.2.1 NAME 'systemQuotas'
> >
> > SUP posixAccount AUXILIARY    DESC 'System Quotas' MUST ( uid )    MAY
> >
> > ( quota )), closing braces needs to be preceeded by a space
> >
> > Converted 1 records with 1 failures
> >
> >
> >
> > Open the file again and change last line to this:
> >
> >
> >
> >      MAY  ( quota ) )
> >
> >
> >
> > Try again:
> >
> >
> >
> > root at dc01:~# oLschema2ldif --basedn=DC=example,DC=com -I
> >
> > /root/quota.schema -O /root/quota.ldif
> >
> > Converted 2 records with 0 failures
> >
> >
> >
> > If you now open the new .ldif, you will find this:
> >
> >
> >
> > dn: CN=quota,CN=Schema,CN=Configuration,DC=example,DC=com
> >
> > objectClass: top
> >
> > objectClass: attributeSchema
> >
> > attributeID: 1.3.6.1.4.1.19937.1.1.1
> >
> > schemaIdGuid:: s4wz77EabBjOCl35dQG3Yg==
> >
> > cn: quota
> >
> > name: quota
> >
> > lDAPDisplayName: quota
> >
> > description: Quotas 
> (FileSystem:BlocksSoft,BlocksHard,InodesSoft,InodesHard)
> >
> > attributeSyntax: 2.5.5.5
> >
> > oMSyntax: 22
> >
> > isSingleValued: FALSE
> >
> >
> >
> > dn: CN=systemQuotas,CN=Schema,CN=Configuration,DC=example,DC=com
> >
> > objectClass: top
> >
> > objectClass: classSchema
> >
> > governsID: 1.3.6.1.4.1.19937.1.2.1
> >
> > schemaIdGuid:: TIwbIzyiBNzZEmBeS1XO4A==
> >
> > cn: systemQuotas
> >
> > name: systemQuotas
> >
> > lDAPDisplayName: systemQuotas
> >
> > subClassOf: posixAccount
> >
> > objectClassCategory: 3
> >
> > description: System Quotas
> >
> > mustContain: uid
> >
> > mayContain: quota
> >
> > defaultObjectCategory:
> >
> > CN=systemQuotas,CN=Schema,CN=Configuration,DC=example,D
> >
> >   C=com
> >
> >
> >
> > You would then add this ldif to AD with:
> >
> >
> >
> > ldbmodify -H path_to_sam_ldb /root/quota.ldif --option="dsdb:schema
> >
> > update allowed"=true
> >
> >
> >
> > Note that the objectClass in the above ldif is a subclass of
> >
> > 'posixAccount' and to use it, you will have to add the 'uid' attribute
> >
> > to all users, you do not need to add (and in fact should not) the
> >
> > 'posixAccount' objectClass'.
> >
> >
> >
> > Rowland
>

When extending the AD schema, you normally have to add the attributes 
first, then the objectclasses i.e. split the ldif in two, one ldif 
containing the attributes and another containing the objectclasses.

Rowland

More information about the samba mailing list