[Samba] core & cosine schema items in Samba AD DC user object?

Franta Hanzlík franta at hanzlici.cz
Tue Mar 26 16:13:34 UTC 2024


On Tue, 26 Mar 2024 14:49:02 +0000
Rowland Penny via samba <samba at lists.samba.org> wrote:

> On Tue, 26 Mar 2024 14:50:41 +0100
> Franta Hanzlík <franta at hanzlici.cz> wrote:
> 
> > On Tue, 26 Mar 2024 08:01:27 +0000
> > Rowland Penny via samba <samba at lists.samba.org> wrote:
> >   
> > > On Tue, 26 Mar 2024 02:57:51 +0100
> > > Franta Hanzlík via samba <samba at lists.samba.org> wrote:
> > >   
>  [...]  
> > > 
> > > It is very possible, because they are standard components of the AD
> > > schema:
> > > 
> > > dn: CN=Country-Name,CN=Schema,CN=Configuration,DC=X
> > > lDAPDisplayName: c
> > > 
> > > dn: CN=Locality-Name,CN=Schema,CN=Configuration,DC=X
> > > lDAPDisplayName: l
> > > 
> > > dn: CN=Text-Country,CN=Schema,CN=Configuration,DC=X
> > > lDAPDisplayName: co
> > > 
> > > dn: CN=Street-Address,CN=Schema,CN=Configuration,DC=X
> > > lDAPDisplayName: street
> > > 
> > > dn: CN=Display-Name,CN=Schema,CN=Configuration,DC=X
> > > lDAPDisplayName: displayName  
> > 
> > Yeah, it is super!
> > My mistake was - before I was only looking in the 
> > /etc/openldap/schema/samba.schema file, where these attributes are
> > not there. But now I can see them in the 
> > /usr/share/samba/setup/ad-schema/AD_DS_Attributes__Windows_Server_2016.ldf 
> > file (which is perhaps what the Samba uses as its schema).
> >   
>  [...]  
> > > 
> > > That would be up to you writing your own script to add them, unless
> > > you would care to update samba-tool to do this ;-)  
> > 
> > Maybe these attributes can be supplemented with some Windows tool
> > (RSAT/ ADUC), I haven't tried it yet.
> > 
> > What I just tried - add these attributes to AD with ldbmodify and a
> > pre- prepared LDIF file (as:
> > 
> > dn: CN=Pepík,OU=dobří,OU=kamarádi,DC=ad,DC=hanzlici,DC=cz
> > changetype: modify
> > add: l
> > l: Plzeň
> > 
> > ) - and it works well, thus problem is solved.
> > 
> > And another finding - adding a non-existent attribute such as
> > Locality-Name (
> > 
> > dn: CN=Pepík,OU=dobří,OU=kamarádi,DC=ad,DC=hanzlici,DC=cz
> > changetype: modify
> > add: Locality-Name
> > Locality-Name: Plzeň
> > 
> > to the schema (I mistakenly thought that e.g. the 'l' attribute is an 
> > external/LDAP alias for the internal "Locality-Name" attribute used 
> > by Samba) will not fail, and the USER object will have both "l" and 
> > "Locality-Name" attributes. Is it ok that I can add any nonsense 
> > (attribute not in schema) to the object?  
> 
> 
> I do not think you are quite understanding this,
> 
> The 'DN': CN=Locality-Name,CN=Schema,CN=Configuration,DC=X
> 
> Is what it is called in the AD schema.
> 
> The actual attribute that you use is the 'lDAPDisplayName', in this
> case 'l'
> 
> So you would use an ldif like this:
> 
> dn: CN=Pepík,OU=dobří,OU=kamarádi,DC=ad,DC=hanzlici,DC=cz
> changetype: modify
> add: l
> l: Plzeň
> 
> Rowland
> 
> -- 

Yes, that's how I understood it later.
But what surprised me is that an object ("user" class in this case) 
can be assigned any imaginary attribute - I thought that the Samba 
AD schema strictly limits what objects and with what attributes can 
be in the AD. But maybe it only limits the types of objects, but 
not their attributes...
(I'm keeping quiet now, I know very little about Samba and AD.
Many thanks, Rowland, thanks to you this mailing list is so great)
-- 
Franta Hanzlik

Luční 502           Linux/Unix/LAN/Internet       Tel: +420-372-222302
33209 Štěnovice    e-mail:franta at hanzlici.cz      Fax: +420-372-222302
Czech Republic        http://hanzlici.cz/         GSM: +420-604-117319
Tento mail neobsahuje viry, byl odeslán z operačního systému Linux



More information about the samba mailing list