[Samba] objectclass "posixAccount" missing on new created users

Andrew Bartlett abartlet at samba.org
Thu Aug 17 08:34:00 UTC 2017 

On Thu, 2017-08-17 at 09:08 +0100, Rowland Penny via samba wrote:
> On Thu, 17 Aug 2017 09:39:07 +0200
> gizmo via samba <samba at lists.samba.org> wrote:
> 
> > Hello,
> > I made an upgrade from sernet-samba 4.3.11 to sernet-samba 4.6.7.
> > With samba 4.3.11 all created users contained the objectclass
> > "posixAccount". With samba 4.6.7 they don't.
> > 
> > We have a NetApp-Storage-Server which exports nfs4-mounts (with
> > kerberos). Yesterday I wanted to change the owner of a directory and
> > "chown" threw an error "invalid argument". It was the new created
> > user which the NetApp didnt want to accept and caused that error.
> > 
> > So the NetApp accepts only users which derive from "posixAccount".
> > 
> > The parameter "idmap_ldb:use rfc2307 = yes" is set in smb.conf.
> > "ldbsearch .. CN=ypservers,.." returns one record.
> > 
> > With "ldbmodify add ..." I can add the objectclass "posixAccount",
> > but is this the right way ?
> 
> No, definitely not, 'posixAccount' is an auxiliary objectclass of
> 'user' and as such never appears in AD. If your NetApp needs
> 'posixAccount when connecting to AD, then your NetApp is what is
> broken.

Yes, sadly for you Rowland was successful in advancing the argument
that samba-tool should be no more helpful than ADUC when adding users
to the directory, so with more recent versions we no longer add
posixAccount as an auxillary class. 

You can of course add it by modifying the objectClass attribute, it is
a perfectly valid part of the AD schema, just not there by default. 

> > 
> > 
> > 
> > 2 more informations about our enviroment:
> > - User-authentication on all linux-clients is based on sssd.
> 
> I am going to stop there, sssd has nothing to do with Samba, go and ask
> on the sssd-users list, or use winbind instead (note: winbind can do
> everything sssd can do).

What the clients use has no direct impact on what the member server
(the NetApp) does, but it is helpful to know as it impacts the chown. 
I'm assuming you have a valid posix (via sssd) user here first, but
that the NetApp requires the user to be on the server, not just
respecting the raw UID?

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list