Hello, I am migrating an ancient Windows 2003 SBS to Samba using Zentyal (Ubuntu 20.04.3 LTS + Samba version 4.13.14-Ubuntu from Ubutu official repo). Everything seems to be working properly. After migration I have detected that many users have elements missing in LDAP, like "uidNumber", "gidNumber", "lastLogon" or "userAccountControl": --- ldbsearch --url=ldap://va-dc-001 -b DC=domain,DC=company,DC=local -P -s sub '(&(objectSid=S-1-5-21-***-***-***-1392))' [...] # record 1 dn: CN=user1,OU=usersOU,DC=domain,DC=company,DC=local objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: User1 sn: Surname givenName: User1 displayName: User1 Surname name: User1 Surname objectGUID: 1f6563a7-0810-4496-937b-ce8344289ae2 codePage: 0 countryCode: 0 primaryGroupID: 513 objectSid: S-1-5-21-***-***-***-1392 sAMAccountName: user1 sAMAccountType: 805306368 userPrincipalName: user1 at domain.company.local objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=company,DC=local msDS-SupportedEncryptionTypes: 0 distinguishedName: CN=User1 Surname,OU=VAlameda,DC=domain,DC=company,DC=local [...] --- All users in this domain existed before migrating from Windows 2003. I have created a new user and it does not have those elements in LDAP. Some other users do have those elements in LDAP. All of them can log in to a Windows domain joined computer. - In this scenario, should the exist for every user? (as they do in other domains I have migrated/created) - Should I create them? How? - Are they created automatically by Samba? When? Thanks a lot in advance. Victor.
Hi - In order for this to work, you need to provision your domain with RFC2307 extensions: # samba-tool domain provision --use-rfc2307 --interactive If you didn't have "--use-rfc2307" we need look no further. On 11/29/21 08:40, Victor Rodriguez via samba wrote:> Hello, > > I am migrating an ancient Windows 2003 SBS to Samba using Zentyal > (Ubuntu 20.04.3 LTS + Samba version 4.13.14-Ubuntu from Ubutu official > repo). Everything seems to be working properly. > > After migration I have detected that many users have elements missing in > LDAP, like "uidNumber", "gidNumber", "lastLogon" or "userAccountControl": > > --- > > ldbsearch --url=ldap://va-dc-001 -b DC=domain,DC=company,DC=local -P -s > sub '(&(objectSid=S-1-5-21-***-***-***-1392))' > > [...] > > # record 1 > dn: CN=user1,OU=usersOU,DC=domain,DC=company,DC=local > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: user > cn: User1 > sn: Surname > givenName: User1 > displayName: User1 Surname > name: User1 Surname > objectGUID: 1f6563a7-0810-4496-937b-ce8344289ae2 > codePage: 0 > countryCode: 0 > primaryGroupID: 513 > objectSid: S-1-5-21-***-***-***-1392 > sAMAccountName: user1 > sAMAccountType: 805306368 > userPrincipalName: user1 at domain.company.local > objectCategory: > CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=company,DC=local > msDS-SupportedEncryptionTypes: 0 > distinguishedName: CN=User1 > Surname,OU=VAlameda,DC=domain,DC=company,DC=local > > [...] > > --- > > All users in this domain existed before migrating from Windows 2003. I > have created a new user and it does not have those elements in LDAP. > Some other users do have those elements in LDAP. All of them can log in > to a Windows domain joined computer. > > > - In this scenario, should the exist for every user? (as they do in > other domains I have migrated/created) > > - Should I create them? How? > > - Are they created automatically by Samba? When? > > > Thanks a lot in advance. > > Victor. > > > > > >
On Mon, 2021-11-29 at 15:40 +0100, Victor Rodriguez via samba wrote:> Hello, > > I am migrating an ancient Windows 2003 SBS to Samba using Zentyal > (Ubuntu 20.04.3 LTS + Samba version 4.13.14-Ubuntu from Ubutu > official > repo). Everything seems to be working properly. > > After migration I have detected that many users have elements missing > in > LDAP, like "uidNumber", "gidNumber", "lastLogon" or > "userAccountControl":Did they have them before the 'migration' ? How did you 'migrate' the domain I can understand the first two being missing, but not the last two.> > --- > > ldbsearch --url=ldap://va-dc-001 -b DC=domain,DC=company,DC=local -P > -s > sub '(&(objectSid=S-1-5-21-***-***-***-1392))' > > [...] > > # record 1 > dn: CN=user1,OU=usersOU,DC=domain,DC=company,DC=local > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: user > cn: User1 > sn: Surname > givenName: User1 > displayName: User1 Surname > name: User1 Surname > objectGUID: 1f6563a7-0810-4496-937b-ce8344289ae2 > codePage: 0 > countryCode: 0 > primaryGroupID: 513 > objectSid: S-1-5-21-***-***-***-1392 > sAMAccountName: user1 > sAMAccountType: 805306368 > userPrincipalName: user1 at domain.company.local > objectCategory: > CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=company,DC=local > msDS-SupportedEncryptionTypes: 0 > distinguishedName: CN=User1 > Surname,OU=VAlameda,DC=domain,DC=company,DC=local > > [...] > > --- > > All users in this domain existed before migrating from Windows 2003. > I > have created a new user and it does not have those elements in LDAP.You have to add the rfc2307 attributes yourself, (how are you creating new users ?), but you should get the other two.> Some other users do have those elements in LDAP. All of them can log > in > to a Windows domain joined computer. > > > - In this scenario, should the exist for every user? (as they do in > other domains I have migrated/created)Possibly, but as I said you have to choose to add the rfc2307 attributes.> > - Should I create them?If you need RFC2307 attributes, then yes> How?samba-tool for the RFC2307 attributes, the other two should be created for you. Rowland
On Mon, 2021-11-29 at 15:40 +0100, Victor Rodriguez via samba wrote:> Hello, > > I am migrating an ancient Windows 2003 SBS to Samba using Zentyal > (Ubuntu 20.04.3 LTS + Samba version 4.13.14-Ubuntu from Ubutu > official > repo). Everything seems to be working properly.What is the history of this domain? Does this go back to NT4?> After migration I have detected that many users have elements missing > in > LDAP, like "uidNumber", "gidNumber", "lastLogon" or > "userAccountControl":uidNumber and gidNumber are not normally populated by Windows (neither by Samba but often set manually), lastLogon is not replicated but userAccountControl should certainly be set.> > - In this scenario, should the exist for every user? (as they do in > other domains I have migrated/created) > > - Should I create them? How? > > - Are they created automatically by Samba? When?userAccountControl is created when a user is created. lastLogon when a user logs on to this DC. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions