Rowland penny
2021-Jan-03 15:19 UTC
[Samba] Verify if Samba AD was provisioned with RFC2037
On 03/01/2021 15:05, Marco Shmerykowsky via samba wrote:> > On 2021-01-03 9:53 am, Rowland penny via samba wrote: >> On 03/01/2021 14:32, Marco Shmerykowsky via samba wrote: >>> Is there a way to confirm whether a samba AD was >>> provisioned using RFC2307? >> >> All that provisioning with '--use-rfc2307' does is to put >> 'idmap_ldb:use rfc2307' into the first DC's smb.conf (a 'join' doesn't >> do this) and adds the 'ypServ30.ldif' to AD. The first makes DC's use >> uidNumber & gidNumber attributes from AD instead of the xidNumber >> attributes from idmap.ldb. The second makes the Unix attributes tabs >> work in ADUC, only problem is, they no longer exist ? >> >> All of the RFC2307 attributes are in the AD schema by default, even if >> you provision without '--use-rfc2307'. >> >> Rowland > > I see.? The reason I ask is that I'm trying to use an extended query > in a pfsense/openvpn setup and the query seems to fail. I'm fairly > certain I have the query correct (although I could be wrong). > > In googling I came across some discussion that RFC2307 can create issues > with the extended query (https://redmine.pfsense.org/issues/9527) >That link seems to refer to IPA and AD is different, For instance you cannot rely on the 'posix' objectclasses being in AD (in fact anything that does, is, in my opinion, broken), the 'posix objectclasses are auxiliary objectclasses of Windows objectclasses and as such are not required. What is your search query and what do you expect the results to be ? Rowland
Marco Shmerykowsky
2021-Jan-03 15:35 UTC
[Samba] Verify if Samba AD was provisioned with RFC2037
On 2021-01-03 10:19 am, Rowland penny via samba wrote:> On 03/01/2021 15:05, Marco Shmerykowsky via samba wrote: >> >> On 2021-01-03 9:53 am, Rowland penny via samba wrote: >>> On 03/01/2021 14:32, Marco Shmerykowsky via samba wrote: >>>> Is there a way to confirm whether a samba AD was >>>> provisioned using RFC2307? >>> >>> All that provisioning with '--use-rfc2307' does is to put >>> 'idmap_ldb:use rfc2307' into the first DC's smb.conf (a 'join' >>> doesn't >>> do this) and adds the 'ypServ30.ldif' to AD. The first makes DC's use >>> uidNumber & gidNumber attributes from AD instead of the xidNumber >>> attributes from idmap.ldb. The second makes the Unix attributes tabs >>> work in ADUC, only problem is, they no longer exist ? >>> >>> All of the RFC2307 attributes are in the AD schema by default, even >>> if >>> you provision without '--use-rfc2307'. >>> >>> Rowland >> >> I see.? The reason I ask is that I'm trying to use an extended query >> in a pfsense/openvpn setup and the query seems to fail. I'm fairly >> certain I have the query correct (although I could be wrong). >> >> In googling I came across some discussion that RFC2307 can create >> issues >> with the extended query (https://redmine.pfsense.org/issues/9527) >> > That link seems to refer to IPA and AD is different, For instance you > cannot rely on the 'posix' objectclasses being in AD (in fact anything > that does, is, in my opinion, broken), the 'posix objectclasses are > auxiliary objectclasses of Windows objectclasses and as such are not > required. > > What is your search query and what do you expect the results to be ?my query is -> memberOf=CN=VPN-Users,CN=users,DC=internal,DC=external,DC=com Users who will be allowed access to the VPN are assigned to a security group named "VPN-Users". I then used Softerra's ldapbrowser (www.ldapadministrator.com) to look at one of the users in the group and pulled the syntax for the "memberof" attribute that listed the VPN-User group. I would expect the extend query to validate a user who is a member of the VPN-Users group.