[Samba] Elements missing in LDAP for some users

Victor Rodriguez vrodriguez at soltecsis.com
Wed Jan 19 11:32:21 UTC 2022


Hello,

At last I've been able to retake this issue. I have restored the 2003
SBS server in an independent network and done some investigation:

- adsiedit.msc shows all attributes for all users, including
userAccountControl and pwdLastSet as expected. Also many have set also
uidNumber and gidNumber, which is ok.


- Still, ldbsearch does not show all attributes for some users when used
via LDAP like this:

ldbsearch -H ldap://dc1.domain.com -b "DC=domain,DC=com" -P -s sub
"(sAMAccountName=USERNAME)"


- BUT, ldbsearch does show all attributes for all users (as adsiedit.msc
does) when not using LDAP but the SAM file like this:

ldbsearch -H /var/lib/samba/private/sam.ldb -b "DC=domain,DC=com" -P -s
sub "(sAMAccountName=USERNAME)"


So the attributes are there and Samba did replicate them from the old
Windows2003 SBS when I migrated the domain, but somehow ldapsearch is
not able to show or find them when using LDAP.

What could cause this behavior of ldbsearch?

Thank you.



On 11/29/21 7:23 PM, Rowland Penny via samba wrote:
> On Mon, 2021-11-29 at 19:01 +0100, Victor Rodriguez via samba wrote:
>> Initially, there was only a Windows 2003 Small Business Server DC. I
>> don't have the full story, but as far as they remember the domain was
>> created using this server at the time
>>
>> I joined Samba as an additional DC to the domain using Zentyal's web
>> UI.
>> I have checked the logs created when I joined the Samba DC and
>> unfortuntely Zentyal does not dump neither each command or its output
>> unless there is any error and the only relative output in the log is
>> "Provision.pm:898 EBox::Samba::Provision::checkRfc2307 - Checking
>> RFC2307 compliant schema..." and passes the check (please note: that
>> log
>> is unrelated to Samba itself but to Zentyal). Then, I joined another
>> Zetyal server as an additional DC, moved all FSMO roles to dc-001 and
>> depromoted the Windows 2003 SBS.
> Do you still have the 2003 SBS ?
>
>> Every other Samba domain that I have use Zentyal too and have RFC2037
>> extensions installed. Maybe in this case, that check didn't work as
>> expected and the schema was not that compliant, but given that some
>> users do have RFC2037 attibutes I don't really know what to think.
> I would be more worried about the DNS, was it 2003R2 compliant ?
>
>> The schema was upgraded to Windows 2003 level both domain and forest
>> before migrating. After the migration, I upgraded to 2008R2 level
>> (objectVersion: 47).
> Samba now use version 69 (2012R2)
>
>> The users created before the migration were created from Windows 2003
>> ADUC.
> But did it have IDMU installed ?
>
>>  The test users created after the migration are created using
>> Windows 10's RSAT ADUC console.
> That knows nothing about Unix
>
>>  I don't know if the users had such
>> attributes before the migration.
> If they weren't there before the upgrade, they wouldn't be there after.
>
>> I understand that I might be able to add attributes like uidNumber or
>> gidNumber using something something as described at:
>>
>> https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_using_samba-tool_and_ldb-tools
> Probably easier to add them with samba-tool, see:
>
> samba-tool user addunixattrs --help
>
> for more details
>
>> But how may I add other attributes like "userAccountControl"? New
>> users
>> do not have such attribute (among others).
> This is extremely strange, your new users should have these by default.
> Can I suggest you try adding a user with samba-tool and see what the
> result is. If you are using the zentyal GUI, there could be a bug in
> that method, but this is unlikely.
>
> Rowland
>
>
>
-- 
========================================
SOLTECSIS SOLUCIONES TECNOLOGICAS, S.L.
Víctor Rodríguez Cortés
Departamento de I+D+I
Tel./Fax: 966 446 046
vrodriguez at soltecsis.com
www.soltecsis.com
========================================
---
La información contenida en este e-mail es confidencial,
siendo para uso exclusivo del destinatario arriba mencionado.
Le informamos que está totalmente prohibida cualquier
utilización, divulgación, distribución y/o reproducción de
esta comunicación sin autorización expresa en virtud de la
legislación vigente. Si ha recibido este mensaje por error,
le rogamos nos lo notifique inmediatamente por la misma vía
y proceda a su eliminación.
---





More information about the samba mailing list