Hello, I start a new thread, because the other one meanwhile drifted far away from what the OP asked. :-) Am 27.08.2013 17:02, schrieb Luca Olivetti: >> If you provisioned your domain with "--use-rfc2307", then in >> Win7 ADUC you can see the posixAccount (UNIX Attributes) of >> the users. > > I did a classicupgrade, not a provisioning, and I can see the > unix attributes of the migrated users, the problem is the error > message when modifying them and the fact that _new_ users don't > have a "class: posixAccount" in the directory. I rechecked this. My test environment was provisioned on 4.0.5 with "--use-rfc2307" (I'm sure I did, because without that option, you also doesn't have the cn=ypServ30,cn=RpcServices,cn=System,... subtree). And I can confirm that new users doesn't get the "objectclass:posixAccount" entry. Also new added groups doesn't have "objectclass:posixGroup". The "unix attributes" tab in ADUC (W7) is there and works fine on users. On groups I can set values. But if I re-open this tab again, I get "Unwilling to perform". Does anybody have an idea on that? Do posixAccount/posixGroup objectClasses have to be there normally? Regards, Marc
On Tue, 2013-08-27 at 20:11 +0200, Marc Muehlfeld wrote:> Do posixAccount/posixGroup > objectClasses have to be there normally?No. With the AD schema, you can use all of rfc2307 without the need for the objectclassed which define them. Just add the attributes. HTH Steve
On 29/08/13 20:41, Luca Olivetti wrote:> Al 29/08/13 21:20, En/na Rowland Penny ha escrit: >> On 29/08/13 20:17, Luca Olivetti wrote: >>> Al 29/08/13 21:15, En/na Luca Olivetti ha escrit: >>>> Al 29/08/13 21:02, En/na Rowland Penny ha escrit: >>>> >>>>> Hi, that should be 'samba-tool domain exportkeytab /etc/krb5.keytab -U >>>>> Administrator' >>>> Thank you, that worked *but* we're back to square one: migrated users >>>> (with the posixAccount class) show up but new users don't. >>> Oops, sorry, actually it didn't work, I forgot that in the meantime I >>> changed nsswitch.conf to use ldap instead of nss :-( >>> >>> Bye >> Sorry but I am losing the plot here a bit, I thought because you wanted >> the keytab, you were now trying to get sssd to work. > Yes, I was trying sssd, but I forgot that I switched back nsswitch.conf > to ldap, so I thought your suggestion was working while it actually > wasn't (same error with Administrator as with HP$). > > ByeHi, I am replying to you on list, could you please post your sssd.conf and what version of sssd you are using, also what is your OS Rowland