Re: [Samba] Samba 4 Services for UNIX?
I have a little more information about the issues I'm having: When I try to create automountMap or automount objects in the directory using Apache Directory Studio it fails because I need to add the following attributes: instanceType ntSecurityDescriptor objectCategory Can someone enlighten me on the correct value for these attributes? thanks, Rob On Tue, Jan 8, 2013 at 6:43 PM, Robert Moggach r...@dashing.tv wrote: I've solved getting the schema into the directory... and I thought I populated my automount maps... but the directory is unbrowseable - Getting closer... I keep getting the following error: *acl_read: cannot get descriptor of automountMap... etc. etc.* Steps I took... 1) I had changed the Default-First-Site-Name to something more appropriate and changing that back seemed like a good place to start even though fsmo was showing me as the SchemaMaster - 2) At this point I was able to get the schema loaded... almost... ldapadd didn't like attributes and class in the same ldif... and then I had to restart samba to add the class file... ugh... use ldbmodify! I edited the automount.ldif schema file to be two files - one for the attributes and a second for the classes I added the schema using the following two commands: ldbmodify -H /usr/local/samba/private/sam.ldb /root/SAMBA4/automount/autofs_attr.ldif --option=dsdb:schema update allowed=true ldbmodify -H /usr/local/samba/private/sam.ldb /root/SAMBA4/automount/autofs_class.ldif --option=dsdb:schema update allowed=true 4) I then tried to add the automount records with ldbmodify with no luck ... ldbmodify -H /usr/local/samba/private/sam.ldb /root/SAMBA4/automount/03_autofs_maps.ldif ... Sorting rpmd with attid exception 3 rDN=CN DN=CN=linux,CN=autofs,CN=Services,DC=MYDOMAIN ERR: (Naming violation) objectclass: Invalid RDN 'AUTOMOUNTMAPNAME' for objectclass 'automountMap'! on DN automountMapName=auto_master,CN=mac,CN=autofs,CN=Services,DC=MYDOMAIN at block before line 41 Modify failed after processing 5 records Weird... solved that by doing the following, but now i have all kinds of acl_read errors ldbmodify -H /usr/local/samba/private/sam.ldb.d/DC\=MYDOMAIN.ldb 03_autofs_maps.ldif ldapsearch gives me the following: result: 1 Operations errorsearch: 5 result: 1 Operations error text: acl_read: cannot get descriptor of automountMapName=... weird? how do I add acls? The following shows the whole directory as expected... but I need ldap to work for autofs! ldbsearch -H /usr/local/samba/private/sam.ldb So can someone tell me how to get acls added for my objects? Samba version: 4.1.0pre1-GIT-94f11e9 Build environment: Build host: Linux crawford 2.6.32-279.19.1.el6.x86_64 #1 SMP Wed Dec 19 07:05:20 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 Services for UNIX? [SOLVED]
To get the automount schema to work with the git checkout of samba 4 I had
to modify the automount schema files and separate the attributes from the
classes. I also discovered that it's required to have the
ntSecurityDescriptor , instanceType, and objectCategory attributes. Without
these it will crash whenever you try to browse... I did alot of stopping
samba, tarring of /usr/local/samba and untarring to finally get here...
Here's the ldif for the automount attributes I used:
dn: CN=automountMapName,CN=Schema,CN=Configuration,DOMAIN
objectClass: top
objectClass: attributeSchema
attributeID: 1.3.6.1.1.1.1.31
cn: automountMapName
name: automountMapName
lDAPDisplayName: automountMapName
description: automount Map Name
attributeSyntax: 2.5.5.5
oMSyntax: 22
isSingleValued: TRUE
systemOnly: FALSE
dn: CN=automountKey,CN=Schema,CN=Configuration,DOMAIN
objectClass: top
objectClass: attributeSchema
attributeID: 1.3.6.1.1.1.1.32
cn: automountKey
name: automountKey
lDAPDisplayName: automountKey
description: Automount Key value
attributeSyntax: 2.5.5.5
oMSyntax: 22
isSingleValued: TRUE
systemOnly: FALSE
dn: CN=automountInformation,CN=Schema,CN=Configuration,DOMAIN
objectClass: top
objectClass: attributeSchema
attributeID: 1.3.6.1.1.1.1.33
cn: automountInformation
name: automountInformation
lDAPDisplayName: automountInformation
description: Automount information
attributeSyntax: 2.5.5.5
oMSyntax: 22DOMAIN
isSingleValued: TRUE
systemOnly: FALSE
Here's the ldif for the automount classes:
dn: CN=automountMap,CN=Schema,CN=Configuration,DOMAIN
objectClass: top
objectClass: classSchema
governsID: 1.3.6.1.1.1.2.16
cn: automountMap
name: automountMap
lDAPDisplayName: automountMap
subClassOf: top
objectClassCategory: 1
mustContain: automountMapName
mayContain: description
mustContain: instanceType
mustContain: ntSecurityDescriptor
mustContain: objectCategory
defaultObjectCategory: CN=automountMap,CN=Schema,CN=Configuration,DOMAIN
defaultHidingValue: TRUE
systemOnly: FALSE
dn: CN=automount,CN=Schema,CN=Configuration,DOMAIN
objectClass: top
objectClass: classSchema
governsID: 1.3.6.1.1.1.2.17
cn: automount
name: automount
lDAPDisplayName: automount
subClassOf: top
objectClassCategory: 1
description: Automount information
mustContain: automountKey
mustContain: automountInformation
mayContain: description
mustContain: instanceType
mustContain: ntSecurityDescriptor
mustContain: objectCategory
defaultObjectCategory: CN=automount,CN=Schema,CN=Configuration,DOMAIN
defaultHidingValue: TRUE
systemOnly: FALSE
These were added to the directory using the following commands:
ldbmodify -H /usr/local/samba/private/sam.ldb
/root/SAMBA4/automount/01_attr.ldif --option=dsdb:schema update
allowed=true
ldbmodify -H /usr/local/samba/private/sam.ldb
/root/SAMBA4/automount/02_class.ldif --option=dsdb:schema update
allowed=true
Now here's what I did for the actual records. First I created a new OU
tree called Automounts and then three OU's beneath that for Mac, Linux,
Homeless. Mac uses auto_master and linux uses auto.master but I prefer to
have them in separate branches.
Here's a sample record:
dn: automountMapName=auto_master,OU=Mac,OU=Automounts,DOMAIN
objectClass: automountMap
objectClass: top
automountMapName: auto_master
description: Mac OS X Master Autofs map
ntSecurityDescriptor:O:BAG:SYD:(A;;0xf01ff;;;S-1-5-21-1698313198-1485347608-3860200556-500)(A;;0xf01ff;;;SY)(A;;0x20094;;;AU)
ObjectCategory: CN=automountMap,CN=Schema,CN=Configuration,DOMAIN
instanceType: 4
These couldn't be added with the above string so instead I used the
following:
ldbmodify -H /usr/local/samba/private/sam.ldb.d/DC\=DOMAIN.ldb -U
administrator 03_smb_maps.ldif
To understand the ntSecurityDescriptor attribute I had to learn all about
SDDL syntax and then by trial and error realize I needed to use hex format.
The following links were invaluable.
http://www.netid.washington.edu/documentation/domains/sddl.aspxhttp://networkadminkb.com/KB/a152/how-to-read-a-sddl-string.aspxhttp://www.windowsitpro.com/article/security/defining-an-ad-object-s-default-security-descriptor
Further... this little python snippet helped me remember how to add hex
#!/usr/bin/python
GA=int('0x1000',0)
GR=int('0x1000',0)
GW=int('0x1000',0)
GX=int('0x1000',0)
RC=int('0x2',0)
SD=int('0x1',0)
WD=int('0x4',0)
WO=int('0x8',0)
RP=int('0x0010',0)
WP=int('0x0020',0)
CC=int('0x0001',0)
DC=int('0x0002',0)
LC=int('0x0004',0)
SW=int('0x0008',0)
LO=int('0x0080',0)
DT=int('0x0040',0)
CR=int('0x0100',0)
PERMS = {
'All Perms ': RC+SD+WD+WO+RP+WP+CC+DC+LC+SW+LO+DT+CR,
'Read Only ': RP+LC+LO+RC
}
for key,value in PERMS.items():
print key, value, hex(value)
I hope this helps others to avoid frustration.
Rob
On Wed, Jan 9, 2013 at 2:23 PM, Robert Moggach r...@dashing.tv wrote:
I have a little more information about the issues I'm having:
When I try to create automountMap or automount objects in the
Re: [Samba] Samba 4 Services for UNIX? [SOLVED]
On Wed, 2013-01-09 at 19:50 -0500, Robert Moggach wrote: ldbmodify -H /usr/local/samba/private/sam.ldb.d/DC\=DOMAIN.ldb -U administrator 03_smb_maps.ldif NEVER, EVER DO THIS. You now have a corrupt database. Please wipe the database, and start again, hopefully from a backup. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 Services for UNIX? [SOLVED]
OK. So I now no longer 'CORRUPT' my database. Thanks to Andrew for pointing this out as it didn't seem to have caused problems until I tried to edit attributes. The following is my latest attempt. Given the errors I was getting were all related to an invalid rdn I moved to change to a schema that was a little more generic and uses OU and CN instead. In hindsight it was the missing rdnAttId that was probably causing this error so you can probably try adding that to the previous schema definition instead. Not sure what's ideal. The following schema and corresponding data load without issue using the documented ldbmodify command... It's now 3 ldif files... one for the attribute, one for the automountMap class, one for the automount class. It wouldn't do it for me otherwise as it needed to see the preceding attribute or class before being added. Split these into three separate files... 01_autofs_attr.ldif dn: CN=automountInformation,CN=Schema,CN=Configuration,DOMAIN objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.1.1.1.25 cn: automountInformation name: automountInformation lDAPDisplayName: automountInformation description: Information used by the autofs automounter attributeSyntax: 2.5.5.5 oMSyntax: 22 isSingleValued: TRUE systemOnly: FALSE 02_autofs_map.ldif dn: CN=automountMap,CN=Schema,CN=Configuration,DOMAIN objectClass: top objectClass: classSchema governsID: 1.3.6.1.4.1.2312.4.2.2 rdnAttId: ou cn: automountMap name: automountMap lDAPDisplayName: automountMap subClassOf: top objectClassCategory: 1 mustContain: ou defaultObjectCategory: CN=automountMap,CN=Schema,CN=Configuration,DOMAIN defaultSecurityDescriptor:O:BAG:SYD:(A;;0xf01ff;;;S-1-5-21-1698313198-1485347608-3860200556-500)(A;;0xf01ff;;;SY)(A;;0x20094;;;AU) defaultHidingValue: TRUE systemOnly: FALSE systemPossSuperiors: organizationalUnit 03_autofs_mount.ldif dn: CN=automount,CN=Schema,CN=Configuration,DOMAIN objectClass: top objectClass: classSchema governsID: 1.3.6.1.1.1.1.13 rdnAttId: cn cn: automount name: automount lDAPDisplayName: automount subClassOf: top objectClassCategory: 1 mustContain: cn mustContain: automountInformation mayContain: description defaultObjectCategory: CN=automount,CN=Schema,CN=Configuration,DOMAIN defaultSecurityDescriptor:O:BAG:SYD:(A;;0xf01ff;;;S-1-5-21-1698313198-1485347608-3860200556-500)(A;;0xf01ff;;;SY)(A;;0x20094;;;AU) defaultHidingValue: TRUE systemOnly: FALSE systemPossSuperiors: automountMap Add them as documented in the wiki ldbmodify -H /usr/local/samba/private/sam.ldb /root/01_autofs_attr.ldif ...etc...etc...etc Modify the actual data accordingly to remove automountKey and automountMapName attributes and change as needed. These work for me and I can edit them without issue. On Wed, Jan 9, 2013 at 7:50 PM, Robert Moggach r...@dashing.tv wrote: To get the automount schema to work with the git checkout of samba 4 I had to modify the automount schema files and separate the attributes from the classes. I also discovered that it's required to have the ntSecurityDescriptor , instanceType, and objectCategory attributes. Without these it will crash whenever you try to browse... I did alot of stopping samba, tarring of /usr/local/samba and untarring to finally get here... Here's the ldif for the automount attributes I used: dn: CN=automountMapName,CN=Schema,CN=Configuration,DOMAIN objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.1.1.1.31 cn: automountMapName name: automountMapName lDAPDisplayName: automountMapName description: automount Map Name attributeSyntax: 2.5.5.5 oMSyntax: 22 isSingleValued: TRUE systemOnly: FALSE dn: CN=automountKey,CN=Schema,CN=Configuration,DOMAIN objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.1.1.1.32 cn: automountKey name: automountKey lDAPDisplayName: automountKey description: Automount Key value attributeSyntax: 2.5.5.5 oMSyntax: 22 isSingleValued: TRUE systemOnly: FALSE dn: CN=automountInformation,CN=Schema,CN=Configuration,DOMAIN objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.1.1.1.33 cn: automountInformation name: automountInformation lDAPDisplayName: automountInformation description: Automount information attributeSyntax: 2.5.5.5 oMSyntax: 22DOMAIN isSingleValued: TRUE systemOnly: FALSE Here's the ldif for the automount classes: dn: CN=automountMap,CN=Schema,CN=Configuration,DOMAIN objectClass: top objectClass: classSchema governsID: 1.3.6.1.1.1.2.16 cn: automountMap name: automountMap lDAPDisplayName: automountMap subClassOf: top objectClassCategory: 1 mustContain: automountMapName mayContain: description mustContain: instanceType mustContain: ntSecurityDescriptor mustContain: objectCategory defaultObjectCategory: CN=automountMap,CN=Schema,CN=Configuration,DOMAIN defaultHidingValue: TRUE systemOnly: FALSE dn: CN=automount,CN=Schema,CN=Configuration,DOMAIN objectClass: top objectClass: classSchema governsID:
Re: [Samba] Samba 4 Services for UNIX?
I've been back and forth with Andrew on this offlist and a few notes to share. I still don't have full success: *1) How to install the necessary schema etc for UNIX connectivity* The part I was missing here, which isn't part of the howto, is that to get Windows to see the UNIX attributes (Services for UNIX etc.) you need to have an NIS domain. When provisioning you need to add the following option: --use-rfc2307 This will add records to create an NIS domain that the Windows side will recognize, allowing you to change UIDs,GIDs etc. in the GUI. It's all possible with ldbmodify but I wanted to get the GUI working. *2) How to install/manage UNIX friendly users, groups, etc.* I found this site which was indispensable in getting back to a familiar place. http://linuxcostablanca.blogspot.ca/p/samba-4.html There are a few places in his howto that I got caught on but in the end I have multiple OSs authenticating against Samba AD DC. It's for OpenSUSE but I had little issue translating for CentOS 6.x. *3) How to successfully add the automount schema (the wiki doesn't seem to work for me)* This ISN'T working yet. :( Regardless of how I've tried using ldapadd or ldbadd or ldbmodify I can't get past the following error: schema_data_add: we are not master: reject request This is with dsdb:schema update allowed = yes used as an option on the command line and also in the smb.conf, separately and together. * 4) How to add automount maps* This seems to be an easy task once the schema is added. http://phaedrus77.blogspot.**com.es/2010/04/samba4-ad-** domain-controller-to-serve.**htmlhttp://phaedrus77.blogspot.com.es/2010/04/samba4-ad-domain-controller-to-serve.html So if anyone has some insight on the we are not master error I'd love it. I'm only running one server so I'm not sure why it's not able to add the records. Rob -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 Services for UNIX?
yes as far as I can tell I have the SchemaMasterRole [root@crawford ~]# samba-tool fsmo show InfrastructureMasterRole owner: CN=NTDS Settings,CN=CRAWFORD,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=mydomain RidAllocationMasterRole owner: CN=NTDS Settings,CN=CRAWFORD,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=mydomain PdcEmulationMasterRole owner: CN=NTDS Settings,CN=CRAWFORD,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=mydomain DomainNamingMasterRole owner: CN=NTDS Settings,CN=CRAWFORD,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=mydomain SchemaMasterRole owner: CN=NTDS Settings,CN=CRAWFORD,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=mydomain When I try to seize I get the following: [root@crawford ~]# samba-tool fsmo seize --role=all Attempting transfer... FSMO transfer of 'rid' role successful ERROR: Failed to initiate role seize of 'rid' role: objectclass: modify message must have elements/attributes! [root@crawford ~]# samba-tool fsmo seize --role=schema Attempting transfer... FSMO transfer of 'schema' role successful ERROR: Failed to initiate role seize of 'schema' role: objectclass: modify message must have elements/attributes! On Tue, Jan 8, 2013 at 3:07 PM, Gémes Géza g...@kzsdabas.hu wrote: please check with samba-tool fsmo show, that the SchemaMasterRole is hold by the DC you are pointing your ldbmodify command (schema master role is one of the five roles which can be had on only one dc in a domain) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 Services for UNIX?
I've solved getting the schema into the directory... and I thought I populated my automount maps... but the directory is unbrowseable - Getting closer... I keep getting the following error: *acl_read: cannot get descriptor of automountMap... etc. etc.* Steps I took... 1) I had changed the Default-First-Site-Name to something more appropriate and changing that back seemed like a good place to start even though fsmo was showing me as the SchemaMaster - 2) At this point I was able to get the schema loaded... almost... ldapadd didn't like attributes and class in the same ldif... and then I had to restart samba to add the class file... ugh... use ldbmodify! I edited the automount.ldif schema file to be two files - one for the attributes and a second for the classes I added the schema using the following two commands: ldbmodify -H /usr/local/samba/private/sam.ldb /root/SAMBA4/automount/autofs_attr.ldif --option=dsdb:schema update allowed=true ldbmodify -H /usr/local/samba/private/sam.ldb /root/SAMBA4/automount/autofs_class.ldif --option=dsdb:schema update allowed=true 4) I then tried to add the automount records with ldbmodify with no luck ... ldbmodify -H /usr/local/samba/private/sam.ldb /root/SAMBA4/automount/03_autofs_maps.ldif ... Sorting rpmd with attid exception 3 rDN=CN DN=CN=linux,CN=autofs,CN=Services,DC=MYDOMAIN ERR: (Naming violation) objectclass: Invalid RDN 'AUTOMOUNTMAPNAME' for objectclass 'automountMap'! on DN automountMapName=auto_master,CN=mac,CN=autofs,CN=Services,DC=MYDOMAIN at block before line 41 Modify failed after processing 5 records Weird... solved that by doing the following, but now i have all kinds of acl_read errors ldbmodify -H /usr/local/samba/private/sam.ldb.d/DC\=MYDOMAIN.ldb 03_autofs_maps.ldif ldapsearch gives me the following: result: 1 Operations errorsearch: 5 result: 1 Operations error text: acl_read: cannot get descriptor of automountMapName=... weird? how do I add acls? The following shows the whole directory as expected... but I need ldap to work for autofs! ldbsearch -H /usr/local/samba/private/sam.ldb So can someone tell me how to get acls added for my objects? Samba version: 4.1.0pre1-GIT-94f11e9 Build environment: Build host: Linux crawford 2.6.32-279.19.1.el6.x86_64 #1 SMP Wed Dec 19 07:05:20 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4 Services for UNIX?
I have a working Samba 4.0.0 AD DC running and am able to manage users etc using the Windows tools. Great. Now I want to as much as possible eliminate the need for an additional directory service (OpenLDAP and/or Open Directory) if not entirely. I need automount working and Posix users. I believe it's possible to set this up but haven't been able to find any solid documentation - Can someone point me in the right direction? Specifically I'm looking for: 1) How to install the necessary schema etc for UNIX connectivity 2) How to install/manage UNIX friendly users, groups, etc. 3) How to successfully add the automount schema (the wiki doesn't seem to work for me) 4) How to add automount maps Thanks! Rob -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 Services for UNIX?
On Mon, 2013-01-07 at 16:21 -0500, Robert Moggach wrote: I have a working Samba 4.0.0 AD DC running and am able to manage users etc using the Windows tools. Great. Now I want to as much as possible eliminate the need for an additional directory service (OpenLDAP and/or Open Directory) if not entirely. I need automount working and Posix users. I believe it's possible to set this up but haven't been able to find any solid documentation - Can someone point me in the right direction? Specifically I'm looking for: 1) How to install the necessary schema etc for UNIX connectivity 2) How to install/manage UNIX friendly users, groups, etc. 3) How to successfully add the automount schema (the wiki doesn't seem to work for me) 4) How to add automount maps We already include the SFU schema, and users have reported adding the automount schema. You should be able to make this work, but I'll leave to other users to describe the process in more detail. See also: https://wiki.samba.org/index.php/Samba4/Schema_extenstions Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
