[Samba] objectclass "posixAccount" missing on new created users

Rowland Penny rpenny at samba.org
Thu Aug 17 08:50:07 UTC 2017 

On Thu, 17 Aug 2017 20:34:00 +1200
Andrew Bartlett via samba <samba at lists.samba.org> wrote:

> On Thu, 2017-08-17 at 09:08 +0100, Rowland Penny via samba wrote:
> > On Thu, 17 Aug 2017 09:39:07 +0200
> > gizmo via samba <samba at lists.samba.org> wrote:
> > 
> > > Hello,
> > > I made an upgrade from sernet-samba 4.3.11 to sernet-samba 4.6.7.
> > > With samba 4.3.11 all created users contained the objectclass
> > > "posixAccount". With samba 4.6.7 they don't.
> > > 
> > > We have a NetApp-Storage-Server which exports nfs4-mounts (with
> > > kerberos). Yesterday I wanted to change the owner of a directory
> > > and "chown" threw an error "invalid argument". It was the new
> > > created user which the NetApp didnt want to accept and caused
> > > that error.
> > > 
> > > So the NetApp accepts only users which derive from "posixAccount".
> > > 
> > > The parameter "idmap_ldb:use rfc2307 = yes" is set in smb.conf.
> > > "ldbsearch .. CN=ypservers,.." returns one record.
> > > 
> > > With "ldbmodify add ..." I can add the objectclass "posixAccount",
> > > but is this the right way ?
> > 
> > No, definitely not, 'posixAccount' is an auxiliary objectclass of
> > 'user' and as such never appears in AD. If your NetApp needs
> > 'posixAccount when connecting to AD, then your NetApp is what is
> > broken.
> 
> Yes, sadly for you Rowland was successful in advancing the argument
> that samba-tool should be no more helpful than ADUC when adding users
> to the directory, so with more recent versions we no longer add
> posixAccount as an auxillary class. 
> 
> You can of course add it by modifying the objectClass attribute, it is
> a perfectly valid part of the AD schema, just not there by default. 

Yes Andrew, it is there, but NO windows tools add it and as we
actively encourage the use of ADUC, we shouldn't encourage adding it.
  
> 
> > > 
> > > 
> > > 
> > > 2 more informations about our enviroment:
> > > - User-authentication on all linux-clients is based on sssd.
> > 
> > I am going to stop there, sssd has nothing to do with Samba, go and
> > ask on the sssd-users list, or use winbind instead (note: winbind
> > can do everything sssd can do).
> 
> What the clients use has no direct impact on what the member server
> (the NetApp) does, but it is helpful to know as it impacts the chown. 
> I'm assuming you have a valid posix (via sssd) user here first, but
> that the NetApp requires the user to be on the server, not just
> respecting the raw UID?

If you are referring to a user being in /etc/passwd on the NetApp and
in AD, you know this is not allowed, a user can be in /etc/passwd or
in AD, the user cannot be in both.

Rowland

More information about the samba mailing list