Re: [Samba] Samba 4 Services for UNIX? [SOLVED]
To get the automount schema to work with the git checkout of samba 4 I had
to modify the automount schema files and separate the attributes from the
classes. I also discovered that it's required to have the
ntSecurityDescriptor , instanceType, and objectCategory attributes. Without
these it will crash whenever you try to browse... I did alot of stopping
samba, tarring of /usr/local/samba and untarring to finally get here...
Here's the ldif for the automount attributes I used:
dn: CN=automountMapName,CN=Schema,CN=Configuration,DOMAIN
objectClass: top
objectClass: attributeSchema
attributeID: 1.3.6.1.1.1.1.31
cn: automountMapName
name: automountMapName
lDAPDisplayName: automountMapName
description: automount Map Name
attributeSyntax: 2.5.5.5
oMSyntax: 22
isSingleValued: TRUE
systemOnly: FALSE
dn: CN=automountKey,CN=Schema,CN=Configuration,DOMAIN
objectClass: top
objectClass: attributeSchema
attributeID: 1.3.6.1.1.1.1.32
cn: automountKey
name: automountKey
lDAPDisplayName: automountKey
description: Automount Key value
attributeSyntax: 2.5.5.5
oMSyntax: 22
isSingleValued: TRUE
systemOnly: FALSE
dn: CN=automountInformation,CN=Schema,CN=Configuration,DOMAIN
objectClass: top
objectClass: attributeSchema
attributeID: 1.3.6.1.1.1.1.33
cn: automountInformation
name: automountInformation
lDAPDisplayName: automountInformation
description: Automount information
attributeSyntax: 2.5.5.5
oMSyntax: 22DOMAIN
isSingleValued: TRUE
systemOnly: FALSE
Here's the ldif for the automount classes:
dn: CN=automountMap,CN=Schema,CN=Configuration,DOMAIN
objectClass: top
objectClass: classSchema
governsID: 1.3.6.1.1.1.2.16
cn: automountMap
name: automountMap
lDAPDisplayName: automountMap
subClassOf: top
objectClassCategory: 1
mustContain: automountMapName
mayContain: description
mustContain: instanceType
mustContain: ntSecurityDescriptor
mustContain: objectCategory
defaultObjectCategory: CN=automountMap,CN=Schema,CN=Configuration,DOMAIN
defaultHidingValue: TRUE
systemOnly: FALSE
dn: CN=automount,CN=Schema,CN=Configuration,DOMAIN
objectClass: top
objectClass: classSchema
governsID: 1.3.6.1.1.1.2.17
cn: automount
name: automount
lDAPDisplayName: automount
subClassOf: top
objectClassCategory: 1
description: Automount information
mustContain: automountKey
mustContain: automountInformation
mayContain: description
mustContain: instanceType
mustContain: ntSecurityDescriptor
mustContain: objectCategory
defaultObjectCategory: CN=automount,CN=Schema,CN=Configuration,DOMAIN
defaultHidingValue: TRUE
systemOnly: FALSE
These were added to the directory using the following commands:
ldbmodify -H /usr/local/samba/private/sam.ldb
/root/SAMBA4/automount/01_attr.ldif --option=dsdb:schema update
allowed=true
ldbmodify -H /usr/local/samba/private/sam.ldb
/root/SAMBA4/automount/02_class.ldif --option=dsdb:schema update
allowed=true
Now here's what I did for the actual records. First I created a new OU
tree called Automounts and then three OU's beneath that for Mac, Linux,
Homeless. Mac uses auto_master and linux uses auto.master but I prefer to
have them in separate branches.
Here's a sample record:
dn: automountMapName=auto_master,OU=Mac,OU=Automounts,DOMAIN
objectClass: automountMap
objectClass: top
automountMapName: auto_master
description: Mac OS X Master Autofs map
ntSecurityDescriptor:O:BAG:SYD:(A;;0xf01ff;;;S-1-5-21-1698313198-1485347608-3860200556-500)(A;;0xf01ff;;;SY)(A;;0x20094;;;AU)
ObjectCategory: CN=automountMap,CN=Schema,CN=Configuration,DOMAIN
instanceType: 4
These couldn't be added with the above string so instead I used the
following:
ldbmodify -H /usr/local/samba/private/sam.ldb.d/DC\=DOMAIN.ldb -U
administrator 03_smb_maps.ldif
To understand the ntSecurityDescriptor attribute I had to learn all about
SDDL syntax and then by trial and error realize I needed to use hex format.
The following links were invaluable.
http://www.netid.washington.edu/documentation/domains/sddl.aspxhttp://networkadminkb.com/KB/a152/how-to-read-a-sddl-string.aspxhttp://www.windowsitpro.com/article/security/defining-an-ad-object-s-default-security-descriptor
Further... this little python snippet helped me remember how to add hex
#!/usr/bin/python
GA=int('0x1000',0)
GR=int('0x1000',0)
GW=int('0x1000',0)
GX=int('0x1000',0)
RC=int('0x2',0)
SD=int('0x1',0)
WD=int('0x4',0)
WO=int('0x8',0)
RP=int('0x0010',0)
WP=int('0x0020',0)
CC=int('0x0001',0)
DC=int('0x0002',0)
LC=int('0x0004',0)
SW=int('0x0008',0)
LO=int('0x0080',0)
DT=int('0x0040',0)
CR=int('0x0100',0)
PERMS = {
'All Perms ': RC+SD+WD+WO+RP+WP+CC+DC+LC+SW+LO+DT+CR,
'Read Only ': RP+LC+LO+RC
}
for key,value in PERMS.items():
print key, value, hex(value)
I hope this helps others to avoid frustration.
Rob
On Wed, Jan 9, 2013 at 2:23 PM, Robert Moggach r...@dashing.tv wrote:
I have a little more information about the issues I'm having:
When I try to create automountMap or automount objects in the
Re: [Samba] Samba 4 Services for UNIX? [SOLVED]
On Wed, 2013-01-09 at 19:50 -0500, Robert Moggach wrote: ldbmodify -H /usr/local/samba/private/sam.ldb.d/DC\=DOMAIN.ldb -U administrator 03_smb_maps.ldif NEVER, EVER DO THIS. You now have a corrupt database. Please wipe the database, and start again, hopefully from a backup. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 Services for UNIX? [SOLVED]
OK. So I now no longer 'CORRUPT' my database. Thanks to Andrew for pointing this out as it didn't seem to have caused problems until I tried to edit attributes. The following is my latest attempt. Given the errors I was getting were all related to an invalid rdn I moved to change to a schema that was a little more generic and uses OU and CN instead. In hindsight it was the missing rdnAttId that was probably causing this error so you can probably try adding that to the previous schema definition instead. Not sure what's ideal. The following schema and corresponding data load without issue using the documented ldbmodify command... It's now 3 ldif files... one for the attribute, one for the automountMap class, one for the automount class. It wouldn't do it for me otherwise as it needed to see the preceding attribute or class before being added. Split these into three separate files... 01_autofs_attr.ldif dn: CN=automountInformation,CN=Schema,CN=Configuration,DOMAIN objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.1.1.1.25 cn: automountInformation name: automountInformation lDAPDisplayName: automountInformation description: Information used by the autofs automounter attributeSyntax: 2.5.5.5 oMSyntax: 22 isSingleValued: TRUE systemOnly: FALSE 02_autofs_map.ldif dn: CN=automountMap,CN=Schema,CN=Configuration,DOMAIN objectClass: top objectClass: classSchema governsID: 1.3.6.1.4.1.2312.4.2.2 rdnAttId: ou cn: automountMap name: automountMap lDAPDisplayName: automountMap subClassOf: top objectClassCategory: 1 mustContain: ou defaultObjectCategory: CN=automountMap,CN=Schema,CN=Configuration,DOMAIN defaultSecurityDescriptor:O:BAG:SYD:(A;;0xf01ff;;;S-1-5-21-1698313198-1485347608-3860200556-500)(A;;0xf01ff;;;SY)(A;;0x20094;;;AU) defaultHidingValue: TRUE systemOnly: FALSE systemPossSuperiors: organizationalUnit 03_autofs_mount.ldif dn: CN=automount,CN=Schema,CN=Configuration,DOMAIN objectClass: top objectClass: classSchema governsID: 1.3.6.1.1.1.1.13 rdnAttId: cn cn: automount name: automount lDAPDisplayName: automount subClassOf: top objectClassCategory: 1 mustContain: cn mustContain: automountInformation mayContain: description defaultObjectCategory: CN=automount,CN=Schema,CN=Configuration,DOMAIN defaultSecurityDescriptor:O:BAG:SYD:(A;;0xf01ff;;;S-1-5-21-1698313198-1485347608-3860200556-500)(A;;0xf01ff;;;SY)(A;;0x20094;;;AU) defaultHidingValue: TRUE systemOnly: FALSE systemPossSuperiors: automountMap Add them as documented in the wiki ldbmodify -H /usr/local/samba/private/sam.ldb /root/01_autofs_attr.ldif ...etc...etc...etc Modify the actual data accordingly to remove automountKey and automountMapName attributes and change as needed. These work for me and I can edit them without issue. On Wed, Jan 9, 2013 at 7:50 PM, Robert Moggach r...@dashing.tv wrote: To get the automount schema to work with the git checkout of samba 4 I had to modify the automount schema files and separate the attributes from the classes. I also discovered that it's required to have the ntSecurityDescriptor , instanceType, and objectCategory attributes. Without these it will crash whenever you try to browse... I did alot of stopping samba, tarring of /usr/local/samba and untarring to finally get here... Here's the ldif for the automount attributes I used: dn: CN=automountMapName,CN=Schema,CN=Configuration,DOMAIN objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.1.1.1.31 cn: automountMapName name: automountMapName lDAPDisplayName: automountMapName description: automount Map Name attributeSyntax: 2.5.5.5 oMSyntax: 22 isSingleValued: TRUE systemOnly: FALSE dn: CN=automountKey,CN=Schema,CN=Configuration,DOMAIN objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.1.1.1.32 cn: automountKey name: automountKey lDAPDisplayName: automountKey description: Automount Key value attributeSyntax: 2.5.5.5 oMSyntax: 22 isSingleValued: TRUE systemOnly: FALSE dn: CN=automountInformation,CN=Schema,CN=Configuration,DOMAIN objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.1.1.1.33 cn: automountInformation name: automountInformation lDAPDisplayName: automountInformation description: Automount information attributeSyntax: 2.5.5.5 oMSyntax: 22DOMAIN isSingleValued: TRUE systemOnly: FALSE Here's the ldif for the automount classes: dn: CN=automountMap,CN=Schema,CN=Configuration,DOMAIN objectClass: top objectClass: classSchema governsID: 1.3.6.1.1.1.2.16 cn: automountMap name: automountMap lDAPDisplayName: automountMap subClassOf: top objectClassCategory: 1 mustContain: automountMapName mayContain: description mustContain: instanceType mustContain: ntSecurityDescriptor mustContain: objectCategory defaultObjectCategory: CN=automountMap,CN=Schema,CN=Configuration,DOMAIN defaultHidingValue: TRUE systemOnly: FALSE dn: CN=automount,CN=Schema,CN=Configuration,DOMAIN objectClass: top objectClass: classSchema governsID:
