[Samba] Elements missing in LDAP for some users
Patrick Goetz
pgoetz at math.utexas.edu
Mon Nov 29 16:50:27 UTC 2021
On 11/29/21 10:43, Victor Rodriguez via samba wrote:
>
>> Hi -
>>
>> In order for this to work, you need to provision your domain with
>> RFC2307 extensions:
>>
>> # samba-tool domain provision --use-rfc2307 --interactive
>>
>> If you didn't have "--use-rfc2307" we need look no further.
>
>
> Wouldn't that mean that no user should have those records? Some do have
> them, others do not, as if there were two versions of the schema (if
> that's even possible, I mean).
>
Yes, you're right. It's what Roland said: if you use the RFC2307
attributes you have to add the values for these attributes to the
directory yourself. This is ultimately why I opted to just use the RID
back end and then make UID/GID adjustments on the linux side -- less
hands on maintenance over time.
> I'm 99% sure that "--use-rfc2307" was used during provision. Its the
> same OS and Samba version I have used for a few other domains and all
> worked correctly, so there might be something related to this very
> domain coming from such an old OS (Win2003 SBS).
>
> Reading https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD , I
> have checked that:
>
> - smb.conf has idmap_ldb:use rfc2307 = yes
>
> - NIS extensions do not seem to be installed in this domain:
>
> ---
>
> ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b
> CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=company,DC=local cn
>
> search error - No such Base DN:
> CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=company,DC=local
>
> ---
>
> AFAIK, this are only needed to manage unix UID/GID from Window's ADUC,
> which I dont need at the moment.
>
>
>> On 11/29/21 08:40, Victor Rodriguez via samba wrote:
>>> Hello,
>>>
>>> I am migrating an ancient Windows 2003 SBS to Samba using Zentyal
>>> (Ubuntu 20.04.3 LTS + Samba version 4.13.14-Ubuntu from Ubutu official
>>> repo). Everything seems to be working properly.
>>>
>>> After migration I have detected that many users have elements missing in
>>> LDAP, like "uidNumber", "gidNumber", "lastLogon" or
>>> "userAccountControl":
>>>
>>> ---
>>>
>>> ldbsearch --url=ldap://va-dc-001 -b DC=domain,DC=company,DC=local -P -s
>>> sub '(&(objectSid=S-1-5-21-***-***-***-1392))'
>>>
>>> [...]
>>>
>>> # record 1
>>> dn: CN=user1,OU=usersOU,DC=domain,DC=company,DC=local
>>> objectClass: top
>>> objectClass: person
>>> objectClass: organizationalPerson
>>> objectClass: user
>>> cn: User1
>>> sn: Surname
>>> givenName: User1
>>> displayName: User1 Surname
>>> name: User1 Surname
>>> objectGUID: 1f6563a7-0810-4496-937b-ce8344289ae2
>>> codePage: 0
>>> countryCode: 0
>>> primaryGroupID: 513
>>> objectSid: S-1-5-21-***-***-***-1392
>>> sAMAccountName: user1
>>> sAMAccountType: 805306368
>>> userPrincipalName: user1 at domain.company.local
>>> objectCategory:
>>> CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=company,DC=local
>>> msDS-SupportedEncryptionTypes: 0
>>> distinguishedName: CN=User1
>>> Surname,OU=VAlameda,DC=domain,DC=company,DC=local
>>>
>>> [...]
>>>
>>> ---
>>>
>>> All users in this domain existed before migrating from Windows 2003. I
>>> have created a new user and it does not have those elements in LDAP.
>>> Some other users do have those elements in LDAP. All of them can log in
>>> to a Windows domain joined computer.
>>>
>>>
>>> - In this scenario, should the exist for every user? (as they do in
>>> other domains I have migrated/created)
>>>
>>> - Should I create them? How?
>>>
>>> - Are they created automatically by Samba? When?
>>>
>>>
>>> Thanks a lot in advance.
>>>
>>> Victor.
>>>
>>>
>>>
>>>
>>>
>>>
>>
More information about the samba
mailing list