[Samba] Verify if Samba AD was provisioned with RFC2037
Marco Shmerykowsky
marco at sce-engineers.com
Sun Jan 3 15:35:38 UTC 2021
On 2021-01-03 10:19 am, Rowland penny via samba wrote:
> On 03/01/2021 15:05, Marco Shmerykowsky via samba wrote:
>>
>> On 2021-01-03 9:53 am, Rowland penny via samba wrote:
>>> On 03/01/2021 14:32, Marco Shmerykowsky via samba wrote:
>>>> Is there a way to confirm whether a samba AD was
>>>> provisioned using RFC2307?
>>>
>>> All that provisioning with '--use-rfc2307' does is to put
>>> 'idmap_ldb:use rfc2307' into the first DC's smb.conf (a 'join'
>>> doesn't
>>> do this) and adds the 'ypServ30.ldif' to AD. The first makes DC's use
>>> uidNumber & gidNumber attributes from AD instead of the xidNumber
>>> attributes from idmap.ldb. The second makes the Unix attributes tabs
>>> work in ADUC, only problem is, they no longer exist 🙁
>>>
>>> All of the RFC2307 attributes are in the AD schema by default, even
>>> if
>>> you provision without '--use-rfc2307'.
>>>
>>> Rowland
>>
>> I see. The reason I ask is that I'm trying to use an extended query
>> in a pfsense/openvpn setup and the query seems to fail. I'm fairly
>> certain I have the query correct (although I could be wrong).
>>
>> In googling I came across some discussion that RFC2307 can create
>> issues
>> with the extended query (https://redmine.pfsense.org/issues/9527)
>>
> That link seems to refer to IPA and AD is different, For instance you
> cannot rely on the 'posix' objectclasses being in AD (in fact anything
> that does, is, in my opinion, broken), the 'posix objectclasses are
> auxiliary objectclasses of Windows objectclasses and as such are not
> required.
>
> What is your search query and what do you expect the results to be ?
my query is ->
memberOf=CN=VPN-Users,CN=users,DC=internal,DC=external,DC=com
Users who will be allowed access to the VPN are assigned to a security
group
named "VPN-Users". I then used Softerra's ldapbrowser
(www.ldapadministrator.com)
to look at one of the users in the group and pulled the syntax for the
"memberof"
attribute that listed the VPN-User group.
I would expect the extend query to validate a user who is a member of
the VPN-Users group.
More information about the samba
mailing list