[Samba] Re: problem with sambaNextRid (WAS: updating samba/ldap: do I need new attributes?)
Sorry if I missed your point but I have no problems with UIDs and GIDs. The smbldap-tools keep the next available ones in the attributes uidNumber and gidNumber of the sambaDomainName LDAP entry. The problem is that samba's RID calculation changed somewhere between 3.0.22 and 3.0.34. What should I do to upgrade as easily as possible from 3.0.22 (where RID=1000+2*UID) to 3.0.34 (where the next available RID is kept in the sambaNextRid attribute of the sambaDomainName LDAP entry)? If I don't deel with this change I will have SID clashes. Or did you mean that you assign SIDs by hand with ldif files? Regards, Thierry Quoting Adam Williams awill...@mdah.state.ms.us: samba creates the RID when smbpasswd -a is used (or machine is joined to the domain). smbldap-tools creates an entry in ldap to keep up with the next available UID. i don't remember what it is. personally, I just use a text file that contains my next available UID and GID in it and increment when i add a user. i do everything by hand with .ldif files though. Thierry Lacoste wrote: Hello, I did the steps described below and I have a problem with machine RIDs. When I first join a machine, samba adds to my sambaDomainName ldap entry a sambaNextRid attribute with a value of 1000. Now samba uses this value (incremented each time) to give its RID to the machine. This is going to be a real problem as my current samba computes RDIs as 1000+2*UID. FWIW I'm using smbldap-tools to create user accounts and I have add machine script = /usr/local/sbin/smbldap-useradd -w '%u' in my smb.conf though I don't think it is relevant because AFAIK this script is only called to create the posix machine account. What are my options? If at all possible, I'd rather stick to the 1000+2*UID algorithm. I googled about it and I know that others where caught too but I wasn't able to find a solution. Regards, Thierry. Quoting Adam Williams awill...@mdah.state.ms.us: your steps are fine. you don't need the samba LDAP entries you listed, when ou do smbpasswd -a user, it will add the minimum required LDAP entries for samba. laco...@miage.univ-paris12.fr wrote: Hello, I plan to update my samba-3.0.22/openldap-2.3.24 to samba-3.0.34/openldap-2.4.15 and I'm currently testing it. This is on FreeBSD. My idea is : 1) slapcat the openldap server and save the various tdb files. 2) deinstall samba and openldap and wipe out the bdb files 3) install the newer versions 4) slapadd to the new openldap server This seems to work in my test lab. During my tests I also built a new domain afresh and realized that the sambaDomainName ldap entry has some attributes that are not in my production server: sambaMinPwdLength, sambaLogonToChgPwd, sambaLockoutDuration, sambaLockoutObservationWindow, sambaLockoutThreshold, sambaForceLogoff. Do I have to add these attributes to my ldif file before slapadd? More generally, do I have to add some attributes to my ldap entries? Regards, Thierry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Re: problem with sambaNextRid (WAS: updating samba/ldap: do I need new attributes?)
Oh, i calculate the RID by hand and add it with net groupmap add rid= ntgroup=what ever unixgroup=whatever type=d and i think your math is wrong, it is group # * 2 + 1001. to get a UID's RID, it is uid * 2 + 1000. Thierry Lacoste wrote: Sorry if I missed your point but I have no problems with UIDs and GIDs. The smbldap-tools keep the next available ones in the attributes uidNumber and gidNumber of the sambaDomainName LDAP entry. The problem is that samba's RID calculation changed somewhere between 3.0.22 and 3.0.34. What should I do to upgrade as easily as possible from 3.0.22 (where RID=1000+2*UID) to 3.0.34 (where the next available RID is kept in the sambaNextRid attribute of the sambaDomainName LDAP entry)? If I don't deel with this change I will have SID clashes. Or did you mean that you assign SIDs by hand with ldif files? Regards, Thierry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Re: problem with sambaNextRid (WAS: updating samba/ldap: do I need new attributes?)
I was talking about SID calculation for machine accounts upon domain joining. What is the relation that you have between SID and UID for a given machine? Can you handcraft this relation? Quoting Adam Williams awill...@mdah.state.ms.us: Oh, i calculate the RID by hand and add it with net groupmap add rid= ntgroup=what ever unixgroup=whatever type=d and i think your math is wrong, it is group # * 2 + 1001. to get a UID's RID, it is uid * 2 + 1000. Thierry Lacoste wrote: Sorry if I missed your point but I have no problems with UIDs and GIDs. The smbldap-tools keep the next available ones in the attributes uidNumber and gidNumber of the sambaDomainName LDAP entry. The problem is that samba's RID calculation changed somewhere between 3.0.22 and 3.0.34. What should I do to upgrade as easily as possible from 3.0.22 (where RID=1000+2*UID) to 3.0.34 (where the next available RID is kept in the sambaNextRid attribute of the sambaDomainName LDAP entry)? If I don't deel with this change I will have SID clashes. Or did you mean that you assign SIDs by hand with ldif files? Regards, Thierry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Re: problem with sambaNextRid (WAS: updating samba/ldap: do I need new attributes?)
here usually the person's username is also their computer name. for instance, ou=People contains their username and their UID. then in ou=Computers for the computer they are on, the computer will have the same username, and the UID is the UID from people + 1. Thierry Lacoste wrote: I was talking about SID calculation for machine accounts upon domain joining. What is the relation that you have between SID and UID for a given machine? Can you handcraft this relation? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Re: problem with sambaNextRid (WAS: updating samba/ldap: do I need new attributes?)
samba creates the RID when smbpasswd -a is used (or machine is joined to the domain). smbldap-tools creates an entry in ldap to keep up with the next available UID. i don't remember what it is. personally, I just use a text file that contains my next available UID and GID in it and increment when i add a user. i do everything by hand with .ldif files though. Thierry Lacoste wrote: Hello, I did the steps described below and I have a problem with machine RIDs. When I first join a machine, samba adds to my sambaDomainName ldap entry a sambaNextRid attribute with a value of 1000. Now samba uses this value (incremented each time) to give its RID to the machine. This is going to be a real problem as my current samba computes RDIs as 1000+2*UID. FWIW I'm using smbldap-tools to create user accounts and I have add machine script = /usr/local/sbin/smbldap-useradd -w '%u' in my smb.conf though I don't think it is relevant because AFAIK this script is only called to create the posix machine account. What are my options? If at all possible, I'd rather stick to the 1000+2*UID algorithm. I googled about it and I know that others where caught too but I wasn't able to find a solution. Regards, Thierry. Quoting Adam Williams awill...@mdah.state.ms.us: your steps are fine. you don't need the samba LDAP entries you listed, when ou do smbpasswd -a user, it will add the minimum required LDAP entries for samba. laco...@miage.univ-paris12.fr wrote: Hello, I plan to update my samba-3.0.22/openldap-2.3.24 to samba-3.0.34/openldap-2.4.15 and I'm currently testing it. This is on FreeBSD. My idea is : 1) slapcat the openldap server and save the various tdb files. 2) deinstall samba and openldap and wipe out the bdb files 3) install the newer versions 4) slapadd to the new openldap server This seems to work in my test lab. During my tests I also built a new domain afresh and realized that the sambaDomainName ldap entry has some attributes that are not in my production server: sambaMinPwdLength, sambaLogonToChgPwd, sambaLockoutDuration, sambaLockoutObservationWindow, sambaLockoutThreshold, sambaForceLogoff. Do I have to add these attributes to my ldif file before slapadd? More generally, do I have to add some attributes to my ldap entries? Regards, Thierry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
