On 13/04/13 23:32, Rowland Penny wrote:
On 13/04/13 20:22, steve wrote:
On 13/04/13 20:38, Rowland Penny wrote:
On 13/04/13 19:24, steve wrote:
On 13/04/13 18:49, François Lafont wrote:
Hi,
Le 11/04/2013 22:39, Gémes Géza a écrit :
The easiest way to test out rfc2307 would be to provision a new
domain
with samba-tool domain provision --use-rfc2307
--the-other-options-of-your-choice, and test a rfc2307 client
against
it. The difference is, that in this case the provisioning script
loads a
schema file (ypServ30.ldif) which makes it easier to administer the
rfc2307 attributes using ADUC. [...]
Ok. I try this in a wheezy server:
---------------------------------------------------
samba-tool domain provision --realm=CHEZMOI.PRIV \
--domain=CHEZMOI --server-role=dc --dns-backend=SAMBA_INTERNAL \
--adminpass='+toto123' --use-rfc2307
echo "nameserver 192.168.0.21" > /etc/resolv.conf
samba
samba-tool user add test1 "+test123"
---------------------------------------------------
Here is my smb.conf file after this commands:
---------------------------------------------------
# Global parameters
[global]
workgroup = CHEZMOI
realm = CHEZMOI.PRIV
netbios name = WHEEZY-1
server role = active directory domain controller
dns forwarder = 212.27.40.241
idmap_ldb:use rfc2307 = yes
[netlogon]
path =
/usr/local/samba/var/locks/sysvol/chezmoi.priv/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
---------------------------------------------------
But when I run:
ldbedit --url=/usr/local/samba/private/sam.ldb cn=test1
---------------------------------------------------
# editing 1 records
# record 1
dn: CN=test1,CN=Users,DC=chezmoi,DC=priv
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: test1
instanceType: 4
whenCreated: 20130413162647.0Z
whenChanged: 20130413162647.0Z
uSNCreated: 3769
name: test1
objectGUID: 0d95a85f-92d9-425c-8ddf-bcdb401a1c99
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid: S-1-5-21-3595212667-731548510-1075401445-1103
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: test1
sAMAccountType: 805306368
userPrincipalName: te...@chezmoi.priv
objectCategory:
CN=Person,CN=Schema,CN=Configuration,DC=chezmoi,DC=priv
pwdLastSet: 130103440070000000
userAccountControl: 512
uSNChanged: 3771
distinguishedName: CN=test1,CN=Users,DC=chezmoi,DC=priv
---------------------------------------------------
I have no "objectClass: posixAccount" entry and then no
"uidNumber", "gidNumber" attribute. Is it normal?
I thought that "use-rfc2307" option allowed to create
"posixaccount" users. Isn't It the case?
Hi
You still have to add the objects. Yourself! I think provsioning
with the rfc2307 option allows you to use the windows tools instead
of using ldbedit or ldif's. If you just want uid:gid you can use
ldbedit like you have above and
add e.g.
objectClass: posixGroup
gidNumber: 20513
to Domain Users
then, e.g.
objectClass posixAccount
uidNumber: 3000100
gidNumber: 20513
to each of your users. With a different uid for each user of
course. You then decide how to get the uid:gid out of AD. There's
another thread here at the moment about how or how not to do that.
hth
Steve
Hi, You do not need the posix objectclasses, you can add the
uidNumbers etc without them.
Rowland
Hi
Yes, but please be careful. The Samba4 LDAP allows you to add
uidNumber without the class from the schema which provides it. In
this case posixAccount. However, the uidNumber in that case will just
be ignored. e.g. it will not show in getent passwd.
I'm not certain but I think in openldap with the rfc2307 schema, it
would be an error: you wouldn't be able to do it.
@Rowland. Maybe your method with sssd doesn't need uidNumber to be
present in AD?
Cheers,
Steve
Hi Steve, I thought like you until someone posted either on here or on
the technical list that windows does not use the posix objectclasses,
and as Samba 4 AD is supposed to be exactly like windows AD, then
obviously you do not need them. If they were required, you would not
be able to add the uidNumbers etc, it would just error out.
If you are having problems pulling the uidNumber with nss-ldapd
without the posix objectclasses, then this might be because nss-ldapd
was written for ldap but AD != LDAP. All I can say is sssd works
without the posix objectclasses.
Rowland
Thanks Rowland. I'd no idea that windows didn't need the classes but as
I came from a Linux openldap background I understood that as you quite
rightly say, that openldap wouln't allow you to add uidNumber without
posixAccount. For the record, nss-ldapd _does_ require the class to be
present. If it isn't then as far as ldapd is concerned, the user doesn't
exist.
Well, that's the end of another 48 hour day. Why do we do this!
Cheers,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba