[Samba] Elements missing in LDAP for some users

Patrick Goetz pgoetz at math.utexas.edu
Mon Nov 29 16:50:27 UTC 2021



On 11/29/21 10:43, Victor Rodriguez via samba wrote:
> 
>> Hi -
>>
>> In order for this to work, you need to provision your domain with
>> RFC2307 extensions:
>>
>>    # samba-tool domain provision --use-rfc2307 --interactive
>>
>> If you didn't have "--use-rfc2307" we need look no further.
> 
> 
> Wouldn't that mean that no user should have those records?  Some do have
> them, others do not, as if there were two versions of the schema (if
> that's even possible, I mean).
> 

Yes, you're right. It's what Roland said: if you use the RFC2307 
attributes you have to add the values for these attributes to the 
directory yourself.  This is ultimately why I opted to just use the RID 
back end and then make UID/GID adjustments on the linux side -- less 
hands on maintenance over time.


> I'm 99% sure that "--use-rfc2307" was used during provision. Its the
> same OS and Samba version I have used for a few other domains and all
> worked correctly, so there might be something related to this very
> domain coming from such an old OS (Win2003 SBS).
> 
> Reading https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD , I
> have checked that:
> 
> - smb.conf has idmap_ldb:use rfc2307 = yes
> 
> - NIS extensions do not seem to be installed in this domain:
> 
> ---
> 
> ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b
> CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=company,DC=local cn
> 
> search error - No such Base DN:
> CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=company,DC=local
> 
> ---
> 
> AFAIK, this are only needed to manage unix UID/GID from Window's ADUC,
> which I dont need at the moment.
> 
> 
>> On 11/29/21 08:40, Victor Rodriguez via samba wrote:
>>> Hello,
>>>
>>> I am migrating an ancient Windows 2003 SBS to Samba using Zentyal
>>> (Ubuntu 20.04.3 LTS + Samba version 4.13.14-Ubuntu from Ubutu official
>>> repo). Everything seems to be working properly.
>>>
>>> After migration I have detected that many users have elements missing in
>>> LDAP, like "uidNumber", "gidNumber", "lastLogon" or
>>> "userAccountControl":
>>>
>>> ---
>>>
>>> ldbsearch --url=ldap://va-dc-001 -b DC=domain,DC=company,DC=local -P -s
>>> sub '(&(objectSid=S-1-5-21-***-***-***-1392))'
>>>
>>> [...]
>>>
>>> # record 1
>>> dn: CN=user1,OU=usersOU,DC=domain,DC=company,DC=local
>>> objectClass: top
>>> objectClass: person
>>> objectClass: organizationalPerson
>>> objectClass: user
>>> cn: User1
>>> sn: Surname
>>> givenName: User1
>>> displayName: User1 Surname
>>> name: User1 Surname
>>> objectGUID: 1f6563a7-0810-4496-937b-ce8344289ae2
>>> codePage: 0
>>> countryCode: 0
>>> primaryGroupID: 513
>>> objectSid: S-1-5-21-***-***-***-1392
>>> sAMAccountName: user1
>>> sAMAccountType: 805306368
>>> userPrincipalName: user1 at domain.company.local
>>> objectCategory:
>>> CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=company,DC=local
>>> msDS-SupportedEncryptionTypes: 0
>>> distinguishedName: CN=User1
>>> Surname,OU=VAlameda,DC=domain,DC=company,DC=local
>>>
>>> [...]
>>>
>>> ---
>>>
>>> All users in this domain existed before migrating from Windows 2003. I
>>> have created a new user and it does not have those elements in LDAP.
>>> Some other users do have those elements in LDAP. All of them can log in
>>> to a Windows domain joined computer.
>>>
>>>
>>> - In this scenario, should the exist for every user? (as they do in
>>> other domains I have migrated/created)
>>>
>>> - Should I create them? How?
>>>
>>> - Are they created automatically by Samba? When?
>>>
>>>
>>> Thanks a lot in advance.
>>>
>>> Victor.
>>>
>>>
>>>
>>>
>>>
>>>
>>



More information about the samba mailing list