[Samba] Migrate mail aliases to AD ypServ30

Rowland penny rpenny at samba.org
Mon Jul 20 17:24:15 UTC 2020 

On 20/07/2020 17:52, RhineDevil wrote:
> Mon, 20 Jul 2020 11:56:57 +0100 Rowland penny via samba <samba at lists.samba.org>:
>> On 20/07/2020 11:11, RhineDevil via samba wrote:
>>> How could I migrate these fields to CN=aliases,CN=mail,CN=ypServ30,CN=RpcServices,CN=System,DC=local?
>>>
>>> dn: cn=abuse,ou=Aliases,DC=mydomail,DC=local
>>> cn: abuse
>>> objectClass: nisMailAlias
>>> objectClass: top
>>> rfc822MailMember: root
>>>
>>> dn: cn=noc,ou=Aliases,DC=mydomail,DC=local
>>> cn: noc
>>> objectClass: nisMailAlias
>>> objectClass: top
>>> rfc822MailMember: root
>>>
>>> dn: cn=security,ou=Aliases,DC=mydomail,DC=local
>>> cn: security
>>> objectClass: nisMailAlias
>>> objectClass: top
>>> rfc822MailMember: root
>> First you will need the rfc822-MailMember.schema and then run that
>> through oLschema2ldif to produce an ldif to add to AD.
>>
>> Doing the above, should produce something like this:
>>
>> dn: CN=rfc822MailMember,CN=Schema,CN=Configuration,dc=local
>> objectClass: top
>> objectClass: attributeSchema
>> attributeID: 1.3.6.1.4.1.42.2.27.2.1.15
>> schemaIdGuid:: aB7do9Dx3LkCSVgvixllpg==
>> cn: rfc822MailMember
>> name: rfc822MailMember
>> lDAPDisplayName: rfc822MailMember
>> description: rfc822 mail address of group member(s)
>> attributeSyntax: 2.5.5.5
>> oMSyntax: 22
>> isSingleValued: FALSE
>>
>> dn: CN=nisMailAlias,CN=Schema,CN=Configuration,dc=local
>> objectClass: top
>> objectClass: classSchema
>> governsID: 1.3.6.1.4.1.42.2.27.1.2.5
>> schemaIdGuid:: gMnYtZqCPTLAMXe3RZus8A==
>> cn: nisMailAlias
>> name: nisMailAlias
>> lDAPDisplayName: nisMailAlias
>> subClassOf: top
>> objectClassCategory: 1
>> description: NIS mail alias
>> mustContain: cn
>> mayContain: rfc822MailMember
>> defaultObjectCategory: CN=nisMailAlias,CN=Schema,CN=Configuration,dc=local
>>
>> You will need to split that into two ldif's one containing the
>> objectclass, the other the attribute.
>>
>> You can then add the two ldifs like this:
>>
>> ldbadd -H path_to_sam_ldb attr.ldif --option="dsdb:schema update
>> allowed"=true
>> ldbadd -H path_to_sam_ldb class.ldif --option="dsdb:schema update
>> allowed"=true
>>
>> You could then add your ldif (modified to suit AD):
>>
>> dn:
>> cn=abuse,cn=aliases,cn=mail,cn=ypServ30,cn=RpcServices,cn=System,dc=local
>> cn: abuse
>> objectClass: nisMailAlias
>> objectClass: top
>> rfc822MailMember: root
>>
>> dn: cn=noc,cn=aliases,cn=mail,cn=ypServ30,cn=RpcServices,cn=System,dc=local
>> cn: noc
>> objectClass: nisMailAlias
>> objectClass: top
>> rfc822MailMember: root
>>
>> dn:
>> cn=security,cn=aliases,cn=mail,cn=ypServ30,cn=RpcServices,cn=System,dc=local
>> cn: security
>> objectClass: nisMailAlias
>> objectClass: top
>> rfc822MailMember: root
>>
>> Whilst the above should work, I have never tried it. You should be aware
>> that extending the AD schema is a one way action, you can never remove it.
>>
>> If you do extend your schema, you do this at your own risk, do not blame
>> me if it goes wrong.
>>
>> Rowland
>>
> Wait but
> Wouldn't make sense taking care of this through samba-tool? Like there's --rfc-2037, --rfc822 could be added

No, it wouldn't, basically all that adding '--rfc-2307' to the provision 
command does, is to add the ypServ30 ldif to AD. This ldif is what 
Microsoft added if you installed IDMU. Adding the ldif makes Samba 
compatible with ADUC.

What you are adding is a corner case, so it would be a large amount of 
work to update samba-tool for a very few users, or perhaps only you. 
However, if you feel this should in samba-tool, patches are always 
welcome ;-)

Rowland

More information about the samba mailing list