I have a working Samba 4.0.0 AD DC running and am able to manage users etc using the Windows tools. Great. Now I want to as much as possible eliminate the need for an additional directory service (OpenLDAP and/or Open Directory) if not entirely. I need automount working and Posix users. I believe it's possible to set this up but haven't been able to find any solid documentation - Can someone point me in the right direction? Specifically I'm looking for: 1) How to install the necessary schema etc for UNIX connectivity 2) How to install/manage UNIX friendly users, groups, etc. 3) How to successfully add the automount schema (the wiki doesn't seem to work for me) 4) How to add automount maps Thanks! Rob
On Mon, 2013-01-07 at 16:21 -0500, Robert Moggach wrote:> I have a working Samba 4.0.0 AD DC running and am able to manage users etc > using the Windows tools. Great. > Now I want to as much as possible eliminate the need for an additional > directory service (OpenLDAP and/or Open Directory) if not entirely. I need > automount working and Posix users. I believe it's possible to set this up > but haven't been able to find any solid documentation - > Can someone point me in the right direction? > > Specifically I'm looking for: > 1) How to install the necessary schema etc for UNIX connectivity > 2) How to install/manage UNIX friendly users, groups, etc. > 3) How to successfully add the automount schema (the wiki doesn't seem to > work for me) > 4) How to add automount mapsWe already include the SFU schema, and users have reported adding the automount schema. You should be able to make this work, but I'll leave to other users to describe the process in more detail. See also: https://wiki.samba.org/index.php/Samba4/Schema_extenstions Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org
I've been back and forth with Andrew on this offlist and a few notes to share. I still don't have full success: *1) How to install the necessary schema etc for UNIX connectivity*>The part I was missing here, which isn't part of the howto, is that to get Windows to see the UNIX attributes (Services for UNIX etc.) you need to have an NIS domain. When provisioning you need to add the following option: --use-rfc2307 This will add records to create an NIS domain that the Windows side will recognize, allowing you to change UIDs,GIDs etc. in the GUI. It's all possible with ldbmodify but I wanted to get the GUI working.> *2) How to install/manage UNIX friendly users, groups, etc.* >I found this site which was indispensable in getting back to a familiar place. http://linuxcostablanca.blogspot.ca/p/samba-4.html There are a few places in his howto that I got caught on but in the end I have multiple OSs authenticating against Samba AD DC. It's for OpenSUSE but I had little issue translating for CentOS 6.x.> *3) How to successfully add the automount schema (the wiki doesn't seem > to work for me)* >This ISN'T working yet. :( Regardless of how I've tried using ldapadd or ldbadd or ldbmodify I can't get past the following error: "schema_data_add: we are not master: reject request" This is with "dsdb:schema update allowed = yes" used as an option on the command line and also in the smb.conf, separately and together.> * 4) How to add automount maps* >This seems to be an easy task once the schema is added. http://phaedrus77.blogspot.**com.es/2010/04/samba4-ad-** domain-controller-to-serve.**html<http://phaedrus77.blogspot.com.es/2010/04/samba4-ad-domain-controller-to-serve.html> So if anyone has some insight on the "we are not master" error I'd love it. I'm only running one server so I'm not sure why it's not able to add the records. Rob
yes as far as I can tell I have the SchemaMasterRole [root at crawford ~]# samba-tool fsmo show InfrastructureMasterRole owner: CN=NTDS Settings,CN=CRAWFORD,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=mydomain RidAllocationMasterRole owner: CN=NTDS Settings,CN=CRAWFORD,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=mydomain PdcEmulationMasterRole owner: CN=NTDS Settings,CN=CRAWFORD,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=mydomain DomainNamingMasterRole owner: CN=NTDS Settings,CN=CRAWFORD,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=mydomain SchemaMasterRole owner: CN=NTDS Settings,CN=CRAWFORD,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=mydomain When I try to seize I get the following: [root at crawford ~]# samba-tool fsmo seize --role=all Attempting transfer... FSMO transfer of 'rid' role successful ERROR: Failed to initiate role seize of 'rid' role: objectclass: modify message must have elements/attributes! [root at crawford ~]# samba-tool fsmo seize --role=schema Attempting transfer... FSMO transfer of 'schema' role successful ERROR: Failed to initiate role seize of 'schema' role: objectclass: modify message must have elements/attributes! On Tue, Jan 8, 2013 at 3:07 PM, G?mes G?za <geza at kzsdabas.hu> wrote:> please check with samba-tool fsmo show, that the SchemaMasterRole is hold > by the DC you are pointing your ldbmodify command (schema master role is > one of the five roles which can be had on only one dc in a domain) > >>