Re: [Samba] Extending AD schema
On 12/29/2012 06:24 PM, Norberto Bensa wrote: Hello, from: https://wiki.samba.org/index.php/Samba4/FAQ """ Will it also be possible in the future to extend the server by loading user defined schema's? Yes, user-defined schema may be loaded into the Samba 4.0 AD DC. It is experimental, so you must set dsdb:schema update allowed = yes in the smb.conf to permit it. """ My question is: what does it mean "it is experimental"? I'm asking because I'm in the process of migrating an existing s3+ldap domain, which has some custom classes and attributes. While I can emulate some of our functionality using AD attributes and classes, some others cannot (or I just haven't find the way yet). Well I guess experimental is a bit too bold now but we can insure you 100% as we have some corner case not covered. If you want to be sure make a test env, load your schema extensions, restart samba if samba restarts and you are able to search then you are safe, for the record we managed to add exchange schema to a samba DC so it should cover a pretty large spectrum of changes. Matthieu. -- Matthieu Patou Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Extending AD schema
Hello, from: https://wiki.samba.org/index.php/Samba4/FAQ """ Will it also be possible in the future to extend the server by loading user defined schema's? Yes, user-defined schema may be loaded into the Samba 4.0 AD DC. It is experimental, so you must set dsdb:schema update allowed = yes in the smb.conf to permit it. """ My question is: what does it mean "it is experimental"? I'm asking because I'm in the process of migrating an existing s3+ldap domain, which has some custom classes and attributes. While I can emulate some of our functionality using AD attributes and classes, some others cannot (or I just haven't find the way yet). I have already added our custom schemas to s4, and everything seems to be fine, but I'd like to know beforehand what (maybe) won't work. Many thanks in advance, Norberto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 technical documentation
On Sat, 2012-12-29 at 18:21 +0100, Markus Schaufler wrote: > Hi Newsgroup, > > I want to write a technical thesis about Samba 4 and need more detailed > infos about samba's own implementations of ldap, kerberos, bind, etc. and > the differences from the common implementations. > > Obviously I'm to stupid to find it for myself so I would be very grateful > for any help, links, etc. There is some stuff in the wiki, but there isn't a great trove of this already written. You could certainly spend some time reading the mail archives and commit logs, but this not a structured source of information. I've written about our LDAP backend experiment in the FAQ: https://wiki.samba.org/index.php/Samba4/FAQ I've written elsewhere about our decision to use Heimdal (much criticised a the time, and so I think I wrote some long mails about). There may also be stuff in the SambaXP presentation archives. http://www.samba.org/samba/news/articles/abartlet_thesis.pdf is old, but probably has the most extensive backround in a single spot that you are likely to find. Metze also wrote up a thesis, much more detailed than mine, and we got the original german translated into english: http://www.samba.org/~metze/presentations/2007/thesis/StefanMetzmacher_Bachelorthesis_ENG_Draft-9811557.pdf I hope these links help, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 AD DC Sites / Rename Default-First-Site-Name and internal DNS
On Sat, 2012-12-29 at 13:38 +0100, Achim Gottinger wrote: > Hello, > > I'm running a few tests here with two locations. > > site1: server-site1.gsg.local subnet 192.168.200.0/24 > site2: server-site2.gsg.local subnet 192.168.190.0/24 > > both are connected via VPN. > > I migrated an samba3 domain at server-site1 it gets > Default-First-Site-Name assigned. Then I joined the new samba4 domain > withe server-site2. Both servers work and i can join and access them > with clients at both locations. I created reverse zones for both subnets > and added the required static entries. > Then I created an new site (name site2) and two subnets with MS AD Site > Management. I assigned subnet 192.168.200.0/24 to the site > "Default-First-Site-Name" and subnet 192.168.190.0/24 to the site > "site2". And moved server-site2 from Default-First-Site-Name to site2. > Machines at site1 randomly picked server-site2 for logins. On site2 they > always picked server-site2. > > So I deleted a few DNS records. > > _ldap._tcp.Default-First-Site-Name._sites.gsg.local SRV site2.gsg.local > > _kerberos._tcp.Default-First-Site-Name._sites.gsg.local SRV site2.gsg.local > > _gc._tcp.Default-First-Site-Name._sites.gsg.local SRV site2.gsg.local > > _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.gsg.local SRV > site2.gsg.local > > > And after an samba restart also > > _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.gsg.local SRV > site2.gsg.local > > _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.gsg.local SRV > site2.gsg.local > > Afterwards machines at site1 also chose server-site1 most of the time. > Hope i can optimize the behaviour of logon server choosing abit more but > it happened really seldom and it all ran virtualized with 1GB bandwidth > for the VPN connection, which will be 1-2MBit once in production. > > As an last step i renamed the site "Default-First-Site-Name" into > "site1". Restarted the samba services at both sites check replication. > But there are still a few DNS entries left whom i deleted manual. > > _ldap._tcp.Default-First-Site-Name._sites.gsg.local SRV site1.gsg.local > _kerberos._tcp.Default-First-Site-Name._sites.gsg.local SRV site1.gsg.local > _gc._tcp.Default-First-Site-Name._sites.gsg.local SRV site1.gsg.local > _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.gsg.local SRV > site1.gsg.local > _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.gsg.local SRV > site1.gsg.local > _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.gsg.local SRV > site1.gsg.local > > So there are no more (visible) entries left in > > Default-First-Site-Name._sites.gsg.local > Default-First-Site-Name._sites.gc._msdcs.gsg.local > Default-First-Site-Name._sites.dc._msdcs.gsg.local > > But the structure remains an can not be deleted. (things like > _tcp.Default-First-Site-Name._sites.gsg.local). Things still seem to > work at both sites but i'm curious if these leftovers can be completely > removed. As you have noticed, we are very good at adding DNS records, but never remove the old ones. What you have done seems reasonable, if you have renamed the site, removing the remaining DNS references seems entirely reasonable. Please file a bug about the left-behind DNS stuff, we really should clean that up. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4 technical documentation
Hi Newsgroup, I want to write a technical thesis about Samba 4 and need more detailed infos about samba's own implementations of ldap, kerberos, bind, etc. and the differences from the common implementations. Obviously I'm to stupid to find it for myself so I would be very grateful for any help, links, etc. Thanks in advance, Markus -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 AD DC Sites / Rename Default-First-Site-Name and internal DNS
Hello, I'm running a few tests here with two locations. site1: server-site1.gsg.local subnet 192.168.200.0/24 site2: server-site2.gsg.local subnet 192.168.190.0/24 both are connected via VPN. I migrated an samba3 domain at server-site1 it gets Default-First-Site-Name assigned. Then I joined the new samba4 domain withe server-site2. Both servers work and i can join and access them with clients at both locations. I created reverse zones for both subnets and added the required static entries. Then I created an new site (name site2) and two subnets with MS AD Site Management. I assigned subnet 192.168.200.0/24 to the site "Default-First-Site-Name" and subnet 192.168.190.0/24 to the site "site2". And moved server-site2 from Default-First-Site-Name to site2. Machines at site1 randomly picked server-site2 for logins. On site2 they always picked server-site2. So I deleted a few DNS records. _ldap._tcp.Default-First-Site-Name._sites.gsg.local SRV site2.gsg.local _kerberos._tcp.Default-First-Site-Name._sites.gsg.local SRV site2.gsg.local _gc._tcp.Default-First-Site-Name._sites.gsg.local SRV site2.gsg.local _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.gsg.local SRV site2.gsg.local And after an samba restart also _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.gsg.local SRV site2.gsg.local _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.gsg.local SRV site2.gsg.local Afterwards machines at site1 also chose server-site1 most of the time. Hope i can optimize the behaviour of logon server choosing abit more but it happened really seldom and it all ran virtualized with 1GB bandwidth for the VPN connection, which will be 1-2MBit once in production. As an last step i renamed the site "Default-First-Site-Name" into "site1". Restarted the samba services at both sites check replication. But there are still a few DNS entries left whom i deleted manual. _ldap._tcp.Default-First-Site-Name._sites.gsg.local SRV site1.gsg.local _kerberos._tcp.Default-First-Site-Name._sites.gsg.local SRV site1.gsg.local _gc._tcp.Default-First-Site-Name._sites.gsg.local SRV site1.gsg.local _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.gsg.local SRV site1.gsg.local _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.gsg.local SRV site1.gsg.local _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.gsg.local SRV site1.gsg.local So there are no more (visible) entries left in Default-First-Site-Name._sites.gsg.local Default-First-Site-Name._sites.gc._msdcs.gsg.local Default-First-Site-Name._sites.dc._msdcs.gsg.local But the structure remains an can not be deleted. (things like _tcp.Default-First-Site-Name._sites.gsg.local). Things still seem to work at both sites but i'm curious if these leftovers can be completely removed. Thanks in advance Achim Gottinger -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4 AD DC builtin DNS / samba-tool dns add reverse zone entries / DNS Remote Management on an Win2kR2 Server
Hi, By accident i did something like this via an scrip to populate an reverse zone. ~# samba-tool dns add server 200.168.192.in-addr.arpa 1.1 PTR test.gsg.local And indeed that record was added successfully and even showed up on the DNS Remote Management on an Win2kR2 Server like this 192.168.200.1.1PTR test.gsg.local Good thing the record can be deleted but i guess it should not be possible to create such an record. Beside that the DNS Remote Management shows alot of grey folders labled with machine names on Forward Lookup Zones. Folders like _sites, ForestZones, DnsZones are also affected. Is this normal behaviour or should i be concerned about this. Thanks in advance Achim Gottinger -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba3 joining W2k3 as member server
On Sat, 2012-12-29 at 19:31 +1300, Pieter De Wit wrote: > On 28/12/2012 10:45, Andrew Bartlett wrote: > > On Fri, 2012-12-28 at 10:30 +1300, Pieter De Wit wrote: > >> On 22/12/2012 14:56, Andrew Bartlett wrote: > >>> On Sat, 2012-12-22 at 14:28 +1300, Pieter De Wit wrote: > I stand corrected re the MS comment then. How do I get the > userAccountControl? > >>> userAccountControl is an ldap attribute, on the DC object. ldapsearch, > >>> or a GUI LDAP browser (ldp.exe on windows is one) will be able to show > >>> it. > >>> > >>> Andrew Bartlett > >>> > >> Hi Andrew, > >> > >> Finally got time to pull this: > >> > >> userAccountControl: 69632 > > This is 0x11000 > > > > #define UF_WORKSTATION_TRUST_ACCOUNT0x1000 > > #define UF_DONT_EXPIRE_PASSWD 0x0001 > > > > If this remains an issue with current management tools, then I guess we > > can raise a bug to see if we really, really need to set > > UF_DONT_EXPIRE_PASSWD in that bitmask. > > > > Andrew Bartlett > > > Andrew, > > Is it worth setting the value to 0x1000 and see what the tools show > before logging the bug ? It would be a useful data point. > What is the "correct" value for a Member Server ? It just needs UF_WORKSTATION_TRUST_ACCOUNT I've seen contradictory stuff about if workstation accounts can expire. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba