[Samba] Elements missing in LDAP for some users

Rowland Penny rpenny at samba.org
Mon Nov 29 16:32:41 UTC 2021 

On Mon, 2021-11-29 at 15:40 +0100, Victor Rodriguez via samba wrote:
> Hello,
> 
> I am migrating an ancient Windows 2003 SBS to Samba using Zentyal
> (Ubuntu 20.04.3 LTS + Samba version 4.13.14-Ubuntu from Ubutu
> official
> repo). Everything seems to be working properly.
> 
> After migration I have detected that many users have elements missing
> in
> LDAP, like "uidNumber", "gidNumber", "lastLogon" or
> "userAccountControl":

Did they have them before the 'migration' ?
How did you 'migrate' the domain
I can understand the first two being missing, but not the last two.

> 
> ---
> 
> ldbsearch --url=ldap://va-dc-001 -b DC=domain,DC=company,DC=local -P
> -s
> sub '(&(objectSid=S-1-5-21-***-***-***-1392))'
> 
> [...]
> 
> # record 1
> dn: CN=user1,OU=usersOU,DC=domain,DC=company,DC=local
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: User1
> sn: Surname
> givenName: User1
> displayName: User1 Surname
> name: User1 Surname
> objectGUID: 1f6563a7-0810-4496-937b-ce8344289ae2
> codePage: 0
> countryCode: 0
> primaryGroupID: 513
> objectSid: S-1-5-21-***-***-***-1392
> sAMAccountName: user1
> sAMAccountType: 805306368
> userPrincipalName: user1 at domain.company.local
> objectCategory:
> CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=company,DC=local
> msDS-SupportedEncryptionTypes: 0
> distinguishedName: CN=User1
> Surname,OU=VAlameda,DC=domain,DC=company,DC=local
> 
> [...]
> 
> ---
> 
> All users in this domain existed before migrating from Windows 2003.
> I
> have created a new user and it does not have those elements in LDAP.

You have to add the rfc2307 attributes yourself, (how are you creating
new users ?), but you should get the other two.

> Some other users do have those elements in LDAP. All of them can log
> in
> to a Windows domain joined computer.
> 
> 
> - In this scenario, should the exist for every user? (as they do in
> other domains I have migrated/created)

Possibly, but as I said you have to choose to add the rfc2307
attributes.

> 
> - Should I create them?

If you need RFC2307 attributes, then yes

>  How?

samba-tool for the RFC2307 attributes, the other two should be created
for you.

Rowland

More information about the samba mailing list