[Samba] Elements missing in LDAP for some users

Rowland Penny rpenny at samba.org
Mon Nov 29 18:23:31 UTC 2021

On Mon, 2021-11-29 at 19:01 +0100, Victor Rodriguez via samba wrote:
> Initially, there was only a Windows 2003 Small Business Server DC. I
> don't have the full story, but as far as they remember the domain was
> created using this server at the time
> I joined Samba as an additional DC to the domain using Zentyal's web
> UI.
> I have checked the logs created when I joined the Samba DC and
> unfortuntely Zentyal does not dump neither each command or its output
> unless there is any error and the only relative output in the log is
> "Provision.pm:898 EBox::Samba::Provision::checkRfc2307 - Checking
> RFC2307 compliant schema..." and passes the check (please note: that
> log
> is unrelated to Samba itself but to Zentyal). Then, I joined another
> Zetyal server as an additional DC, moved all FSMO roles to dc-001 and
> depromoted the Windows 2003 SBS.

Do you still have the 2003 SBS ?

> Every other Samba domain that I have use Zentyal too and have RFC2037
> extensions installed. Maybe in this case, that check didn't work as
> expected and the schema was not that compliant, but given that some
> users do have RFC2037 attibutes I don't really know what to think.

I would be more worried about the DNS, was it 2003R2 compliant ?

> The schema was upgraded to Windows 2003 level both domain and forest
> before migrating. After the migration, I upgraded to 2008R2 level
> (objectVersion: 47).

Samba now use version 69 (2012R2)

> The users created before the migration were created from Windows 2003

But did it have IDMU installed ?

>  The test users created after the migration are created using
> Windows 10's RSAT ADUC console.

That knows nothing about Unix

>  I don't know if the users had such
> attributes before the migration.

If they weren't there before the upgrade, they wouldn't be there after.

> I understand that I might be able to add attributes like uidNumber or
> gidNumber using something something as described at:
> https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_using_samba-tool_and_ldb-tools

Probably easier to add them with samba-tool, see:

samba-tool user addunixattrs --help

for more details

> But how may I add other attributes like "userAccountControl"? New
> users
> do not have such attribute (among others).

This is extremely strange, your new users should have these by default.
Can I suggest you try adding a user with samba-tool and see what the
result is. If you are using the zentyal GUI, there could be a bug in
that method, but this is unlikely.


More information about the samba mailing list