[Samba] Elements missing in LDAP for some users

Mon Nov 29 16:43:28 UTC 2021

> Hi -
>
> In order for this to work, you need to provision your domain with
> RFC2307 extensions:
>
>   # samba-tool domain provision --use-rfc2307 --interactive
>
> If you didn't have "--use-rfc2307" we need look no further.

Wouldn't that mean that no user should have those records?  Some do have
them, others do not, as if there were two versions of the schema (if
that's even possible, I mean).

I'm 99% sure that "--use-rfc2307" was used during provision. Its the
same OS and Samba version I have used for a few other domains and all
worked correctly, so there might be something related to this very
domain coming from such an old OS (Win2003 SBS).

Reading https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD , I
have checked that:

- smb.conf has idmap_ldb:use rfc2307 = yes

- NIS extensions do not seem to be installed in this domain:

---

ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b
CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=company,DC=local cn

search error - No such Base DN:
CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=company,DC=local

---

AFAIK, this are only needed to manage unix UID/GID from Window's ADUC,
which I dont need at the moment.

> On 11/29/21 08:40, Victor Rodriguez via samba wrote:
>> Hello,
>>
>> I am migrating an ancient Windows 2003 SBS to Samba using Zentyal
>> (Ubuntu 20.04.3 LTS + Samba version 4.13.14-Ubuntu from Ubutu official
>> repo). Everything seems to be working properly.
>>
>> After migration I have detected that many users have elements missing in
>> LDAP, like "uidNumber", "gidNumber", "lastLogon" or
>> "userAccountControl":
>>
>> ---
>>
>> ldbsearch --url=ldap://va-dc-001 -b DC=domain,DC=company,DC=local -P -s
>> sub '(&(objectSid=S-1-5-21-***-***-***-1392))'
>>
>> [...]
>>
>> # record 1
>> dn: CN=user1,OU=usersOU,DC=domain,DC=company,DC=local
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: user
>> cn: User1
>> sn: Surname
>> givenName: User1
>> displayName: User1 Surname
>> name: User1 Surname
>> objectGUID: 1f6563a7-0810-4496-937b-ce8344289ae2
>> codePage: 0
>> countryCode: 0
>> primaryGroupID: 513
>> objectSid: S-1-5-21-***-***-***-1392
>> sAMAccountName: user1
>> sAMAccountType: 805306368
>> userPrincipalName: user1 at domain.company.local
>> objectCategory:
>> CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=company,DC=local
>> msDS-SupportedEncryptionTypes: 0
>> distinguishedName: CN=User1
>> Surname,OU=VAlameda,DC=domain,DC=company,DC=local
>>
>> [...]
>>
>> ---
>>
>> All users in this domain existed before migrating from Windows 2003. I
>> have created a new user and it does not have those elements in LDAP.
>> Some other users do have those elements in LDAP. All of them can log in
>> to a Windows domain joined computer.
>>
>>
>> - In this scenario, should the exist for every user? (as they do in
>> other domains I have migrated/created)
>>
>> - Should I create them? How?
>>
>> - Are they created automatically by Samba? When?
>>
>>
>> Thanks a lot in advance.
>>
>> Victor.
>>
>>
>>
>>
>>
>>
>
-- 
========================================
SOLTECSIS SOLUCIONES TECNOLOGICAS, S.L.
Víctor Rodríguez Cortés
Departamento de I+D+I
Tel./Fax: 966 446 046
vrodriguez at soltecsis.com
www.soltecsis.com
========================================
---
La información contenida en este e-mail es confidencial,
siendo para uso exclusivo del destinatario arriba mencionado.
Le informamos que está totalmente prohibida cualquier
utilización, divulgación, distribución y/o reproducción de
esta comunicación sin autorización expresa en virtud de la
legislación vigente. Si ha recibido este mensaje por error,
le rogamos nos lo notifique inmediatamente por la misma vía
y proceda a su eliminación.
---