[Samba] Schema extension

Stefan Kania stefan at kania-online.de
Wed Nov 21 14:31:58 UTC 2018

Am 21.11.2018 10:22, schrieb Rowland Penny via samba:
> On Wed, 21 Nov 2018 10:06:06 +0100
> Stefan Kania via samba <samba at lists.samba.org> wrote:
>> Hello,
>> we have a single DC after a clssicupgrade and we need to extend the
>> schema. So we created a attrib.ldif with all our attributes and a
>> object.ldif to add the attributes to the "CN=User" Object. We tested
>> the two ldif-files on a DC with only a few users and groups and it
>> works fine. Then we did the classicupgrade (same NC as the
>> test-system) we have more then 30.000 users after the classicupgrade.
>> Then we did the schema extension with the same ldif-files. During the
>> process the DB was reindexed. Then wie looked at a user in the
>> "attribute editor" in ADUC of one of the users. We can't see the
>> additional attributes. We reindexed the DB and got the following
>> messages: ---------------
>> root at addc01:~# samba-tool dbcheck --reindex
>> Re-indexing...
>> Reindexing: re-keyed 10000 records so far
>> Reindexing: re-keyed 20000 records so far
>> Reindexing: re-keyed 30000 records so far
>> Reindexing: re-indexed 10000 records so far
>> Reindexing: re-indexed 20000 records so far
>> Reindexing: re-indexed 30000 records so far
>> Reindexing: re_index successful on
>> /var/lib/samba/private/sam.ldb.d/DC=EXAMPLE,DC=DE.ldb, final index
>> write-out will be in transaction commit
>> completed re-index OK----
>> -------------
>> It looks like the reindexing was working, but we still can't use the
>> attributes. Can it be that it takes a long time because of the 30.000
>> Users.
> Have you tried an ldap search on a user to rule out an ADUC problem ?
> What are the attributes for ?
> Rowland

  Hi Rowland,

the problem WAS the ADUC! The first try to put the attributes into the 
new AD failed, so we reseted the VM (the win10 client with ADUC was 
still in the domain). We fixed the problem in the ldif and rerun the 
schema extension. We did not see the attributes in ADUC, so we changed 
the new attributes via a ldif-file to on of pur users,this worked fine. 
We then removed the profile from the domain-admin from the windows 10 
maschine, logged in with a new profile and everything was fine. So the 
problem is, that the ADUC safes the schema-settings inside the profile 
of the user who accesses the AD. As far as we figured out it is not 
possible to get the new information into the ADUC, only if you delete 
the profile of the user. THAT SU...

Your hint with the ADUC send us on the right track

Thank you


Stefan Kania
Landweg 13
25693 St. Michaelisdonn

Signieren jeder E-Mail hilft Spam zu reduzieren. Signieren Sie ihre 
E-Mail. Weiter Informationen unter http://www.gnupg.org

Mein Schl├╝ssel liegt auf


More information about the samba mailing list