samba - Sep 2013 - Adding RFC2307 attributes to an existing Win2003 AD domain?

Running Samba 4.0.9, we have added a pair of Samba4 domain controllers 
to an existing Win2003 domain.

How do we determine whether RFC2037 attributes already exist in the 
domain?  And how would we go about adding them to an already existing 
domain?

On Fri, 2013-09-27 at 05:22 -0400, Thomas Harold wrote:
> Running Samba 4.0.9, we have added a pair of Samba4 domain controllers 
> to an existing Win2003 domain.
> 
> How do we determine whether RFC2037 attributes already exist in the 
> domain?  And how would we go about adding them to an already existing 
> domain?
To check whether a user has rfc2307 run:
getent passwd username

To check 100% he hasn't use ldbsearch and look for uidNumber, gidNumber
attributes.

To add them if they're not there:

e.g. use wbinfo to get the numbers:
wbinfo -i steve2
HH3\steve2:*:3000021:20513::/home/HH3/steve2:/bin/false

Now add:
uidNumber: 3000021
gidNumber: 20513
to steve2 in the directory.

An easy way to do that is with ldbedit. If you have a lot of users, use
a script and then add the attributes using ldbmodify.

You can add the whole of the rfc2307 user and group attributes using the
schema that comes with Samba4.
HTH
Steve

On Fri, 2013-09-27 at 05:22 -0400, Thomas Harold wrote:
> Running Samba 4.0.9, we have added a pair of Samba4 domain controllers 
> to an existing Win2003 domain.
> 
> How do we determine whether RFC2037 attributes already exist in the 
> domain?  And how would we go about adding them to an already existing 
> domain?
If you have genuinely got a 2003 domain then by default rfc2307
attributes don't exist because they will not be in the schema. If your
Windows controllers however are actually 2003R2 then the process of
upgrading your domain to the R2 version introduced the rfc2307 schema
extension whether you liked it or not.

Some links that cover this 

http://blog.scottlowe.org/2005/12/22/complete-linux-ad-authentication-details/
http://blog.scottlowe.org/2006/08/08/linux-active-directory-and-windows-server-2003-r2-revisited/
http://blog.scottlowe.org/2007/01/15/linux-ad-integration-version-4/

Assuming it is really a 2003R2 domain then you need to populate the
rfc2307 attributes in the directory as by default they are not
populated. You can populate the entries in a variety of ways probably
the simplest is to generate an ldif of the form for every user and load
it into the domain.

dn: CN=joeblogs,OU=users,DC=ds,DC=mycorp,DC=com
uid: joeblogs
msSFU30Name: joeblogs
msSFU30NisDomain: ds
uidNumber: 5252
gidNumber: 8000
unixHomeDirectory: /home/joeblogs
loginShell: /bin/bash


JAB.

-- 
Jonathan A. Buzzard                 Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.