samba - Jan 2016 - Samba 4 Active Directory Quotas

Good afternoon,
I've this  issue: I have followed the instructions in this thread but, 
when I try to add quota.ldif I receive this error:

Unable to find attribute quota in the schema

ERR: (Invalid attribute syntax) "objectclass_attrs: attribute 
'mayContain' on entry 
'CN=systemQuotas,CN=Schema,CN=Configuration,DC=my_domain,DC=it' contains
at least one invalid value!" on DN 
CN=systemQuotas,CN=Schema,CN=Configuration,DC=my_domain,DC=it at block 
before line 27
Modify failed after processing 1 records

 > On 27/12/14 06:26, Greg Zartman wrote:
 >
 > > I've been messing around with disk quotas for users and have seen
some who
 >
 > > have extended the Samba 4 AD schema to include a quota attribute. 
For
 >
 > > example, I found this schema extension here:
 >
 > > http://fossies.org/linux/quota/ldap-scripts/quota.schema
 >
 > >
 >
 > > Is there a common method for doing this?
 >
 > >
 >
 >
 >
 > Yes, samba4 comes with a script: oLschema2ldif
 >
 >
 >
 > To use this, you just need to create a file containing the schema on 
the DC:
 >
 >
 >
 > root at dc01:~# nano quota.schema
 >
 >
 >
 > ##
 >
 > ## schema file for Unix Quotas
 >
 > ## Schema for storing Unix Quotas in LDAP
 >
 > ## OIDs are owned by Cogent Innovators, LLC
 >
 > ##
 >
 > ## 1.3.6.1.4.1.19937.1.1.x - attributetypes
 >
 > ## 1.3.6.1.4.1.19937.1.2.x - objectclasses
 >
 > ##
 >
 >
 >
 > attributetype ( 1.3.6.1.4.1.19937.1.1.1 NAME 'quota'
 >
 >      DESC 'Quotas 
(FileSystem:BlocksSoft,BlocksHard,InodesSoft,InodesHard)'
 >
 >      EQUALITY caseIgnoreIA5Match
 >
 >      SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} )
 >
 >
 >
 > objectclass ( 1.3.6.1.4.1.19937.1.2.1 NAME 'systemQuotas' SUP
 >
 > posixAccount AUXILIARY
 >
 >      DESC 'System Quotas'
 >
 >      MUST ( uid )
 >
 >      MAY  ( quota ))
 >
 >
 >
 > Run this file through oLschema2ldif
 >
 >
 >
 > NOTE: the 'basedn' is your rootdse, -I is where the ldif is and
what you
 >
 > called it, -O is is where you want the new file to be created and what
 >
 > you want it to be called.
 >
 >
 >
 > root at dc01:~# oLschema2ldif --basedn=DC=example,DC=com -I
 >
 > /root/quota.schema -O /root/quota.ldif
 >
 >
 >
 > OK, first time through, you get an error:
 >
 >
 >
 > Invalid entry objectclass ( 1.3.6.1.4.1.19937.1.2.1 NAME
'systemQuotas'
 >
 > SUP posixAccount AUXILIARY    DESC 'System Quotas' MUST ( uid )   
MAY
 >
 > ( quota )), closing braces needs to be preceeded by a space
 >
 > Converted 1 records with 1 failures
 >
 >
 >
 > Open the file again and change last line to this:
 >
 >
 >
 >      MAY  ( quota ) )
 >
 >
 >
 > Try again:
 >
 >
 >
 > root at dc01:~# oLschema2ldif --basedn=DC=example,DC=com -I
 >
 > /root/quota.schema -O /root/quota.ldif
 >
 > Converted 2 records with 0 failures
 >
 >
 >
 > If you now open the new .ldif, you will find this:
 >
 >
 >
 > dn: CN=quota,CN=Schema,CN=Configuration,DC=example,DC=com
 >
 > objectClass: top
 >
 > objectClass: attributeSchema
 >
 > attributeID: 1.3.6.1.4.1.19937.1.1.1
 >
 > schemaIdGuid:: s4wz77EabBjOCl35dQG3Yg= >
 > cn: quota
 >
 > name: quota
 >
 > lDAPDisplayName: quota
 >
 > description: Quotas 
(FileSystem:BlocksSoft,BlocksHard,InodesSoft,InodesHard)
 >
 > attributeSyntax: 2.5.5.5
 >
 > oMSyntax: 22
 >
 > isSingleValued: FALSE
 >
 >
 >
 > dn: CN=systemQuotas,CN=Schema,CN=Configuration,DC=example,DC=com
 >
 > objectClass: top
 >
 > objectClass: classSchema
 >
 > governsID: 1.3.6.1.4.1.19937.1.2.1
 >
 > schemaIdGuid:: TIwbIzyiBNzZEmBeS1XO4A= >
 > cn: systemQuotas
 >
 > name: systemQuotas
 >
 > lDAPDisplayName: systemQuotas
 >
 > subClassOf: posixAccount
 >
 > objectClassCategory: 3
 >
 > description: System Quotas
 >
 > mustContain: uid
 >
 > mayContain: quota
 >
 > defaultObjectCategory:
 >
 > CN=systemQuotas,CN=Schema,CN=Configuration,DC=example,D
 >
 >   C=com
 >
 >
 >
 > You would then add this ldif to AD with:
 >
 >
 >
 > ldbmodify -H path_to_sam_ldb /root/quota.ldif --option="dsdb:schema
 >
 > update allowed"=true
 >
 >
 >
 > Note that the objectClass in the above ldif is a subclass of
 >
 > 'posixAccount' and to use it, you will have to add the
'uid' attribute
 >
 > to all users, you do not need to add (and in fact should not) the
 >
 > 'posixAccount' objectClass'.
 >
 >
 >
 > Rowland

-- 

*R.T.A. s.r.l.

Daniele Manfredi*
IT Manager

Phone:
	+39.0382.929.855
Fax:
	+39.0382.929.150

Website:
	www.rta.it
E-store:
	www.rta-store.com
Mailto:
	dmanfredi at rta.it

On 27/01/16 07:49, Daniele Manfredi wrote:
> Good afternoon,
> I've this  issue: I have followed the instructions in this thread but, 
> when I try to add quota.ldif I receive this error:
>
> Unable to find attribute quota in the schema
>
> ERR: (Invalid attribute syntax) "objectclass_attrs: attribute 
> 'mayContain' on entry 
> 'CN=systemQuotas,CN=Schema,CN=Configuration,DC=my_domain,DC=it' 
> contains at least one invalid value!" on DN 
> CN=systemQuotas,CN=Schema,CN=Configuration,DC=my_domain,DC=it at block 
> before line 27
> Modify failed after processing 1 records
>
> > On 27/12/14 06:26, Greg Zartman wrote:
> >
> > > I've been messing around with disk quotas for users and have
seen
> some who
> >
> > > have extended the Samba 4 AD schema to include a quota attribute.
> For
> >
> > > example, I found this schema extension here:
> >
> > > http://fossies.org/linux/quota/ldap-scripts/quota.schema
> >
> > >
> >
> > > Is there a common method for doing this?
> >
> > >
> >
> >
> >
> > Yes, samba4 comes with a script: oLschema2ldif
> >
> >
> >
> > To use this, you just need to create a file containing the schema on 
> the DC:
> >
> >
> >
> > root at dc01:~# nano quota.schema
> >
> >
> >
> > ##
> >
> > ## schema file for Unix Quotas
> >
> > ## Schema for storing Unix Quotas in LDAP
> >
> > ## OIDs are owned by Cogent Innovators, LLC
> >
> > ##
> >
> > ## 1.3.6.1.4.1.19937.1.1.x - attributetypes
> >
> > ## 1.3.6.1.4.1.19937.1.2.x - objectclasses
> >
> > ##
> >
> >
> >
> > attributetype ( 1.3.6.1.4.1.19937.1.1.1 NAME 'quota'
> >
> >      DESC 'Quotas 
> (FileSystem:BlocksSoft,BlocksHard,InodesSoft,InodesHard)'
> >
> >      EQUALITY caseIgnoreIA5Match
> >
> >      SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} )
> >
> >
> >
> > objectclass ( 1.3.6.1.4.1.19937.1.2.1 NAME 'systemQuotas' SUP
> >
> > posixAccount AUXILIARY
> >
> >      DESC 'System Quotas'
> >
> >      MUST ( uid )
> >
> >      MAY  ( quota ))
> >
> >
> >
> > Run this file through oLschema2ldif
> >
> >
> >
> > NOTE: the 'basedn' is your rootdse, -I is where the ldif is
and what
> you
> >
> > called it, -O is is where you want the new file to be created and what
> >
> > you want it to be called.
> >
> >
> >
> > root at dc01:~# oLschema2ldif --basedn=DC=example,DC=com -I
> >
> > /root/quota.schema -O /root/quota.ldif
> >
> >
> >
> > OK, first time through, you get an error:
> >
> >
> >
> > Invalid entry objectclass ( 1.3.6.1.4.1.19937.1.2.1 NAME
'systemQuotas'
> >
> > SUP posixAccount AUXILIARY    DESC 'System Quotas' MUST ( uid
)    MAY
> >
> > ( quota )), closing braces needs to be preceeded by a space
> >
> > Converted 1 records with 1 failures
> >
> >
> >
> > Open the file again and change last line to this:
> >
> >
> >
> >      MAY  ( quota ) )
> >
> >
> >
> > Try again:
> >
> >
> >
> > root at dc01:~# oLschema2ldif --basedn=DC=example,DC=com -I
> >
> > /root/quota.schema -O /root/quota.ldif
> >
> > Converted 2 records with 0 failures
> >
> >
> >
> > If you now open the new .ldif, you will find this:
> >
> >
> >
> > dn: CN=quota,CN=Schema,CN=Configuration,DC=example,DC=com
> >
> > objectClass: top
> >
> > objectClass: attributeSchema
> >
> > attributeID: 1.3.6.1.4.1.19937.1.1.1
> >
> > schemaIdGuid:: s4wz77EabBjOCl35dQG3Yg=> >
> > cn: quota
> >
> > name: quota
> >
> > lDAPDisplayName: quota
> >
> > description: Quotas 
> (FileSystem:BlocksSoft,BlocksHard,InodesSoft,InodesHard)
> >
> > attributeSyntax: 2.5.5.5
> >
> > oMSyntax: 22
> >
> > isSingleValued: FALSE
> >
> >
> >
> > dn: CN=systemQuotas,CN=Schema,CN=Configuration,DC=example,DC=com
> >
> > objectClass: top
> >
> > objectClass: classSchema
> >
> > governsID: 1.3.6.1.4.1.19937.1.2.1
> >
> > schemaIdGuid:: TIwbIzyiBNzZEmBeS1XO4A=> >
> > cn: systemQuotas
> >
> > name: systemQuotas
> >
> > lDAPDisplayName: systemQuotas
> >
> > subClassOf: posixAccount
> >
> > objectClassCategory: 3
> >
> > description: System Quotas
> >
> > mustContain: uid
> >
> > mayContain: quota
> >
> > defaultObjectCategory:
> >
> > CN=systemQuotas,CN=Schema,CN=Configuration,DC=example,D
> >
> >   C=com
> >
> >
> >
> > You would then add this ldif to AD with:
> >
> >
> >
> > ldbmodify -H path_to_sam_ldb /root/quota.ldif
--option="dsdb:schema
> >
> > update allowed"=true
> >
> >
> >
> > Note that the objectClass in the above ldif is a subclass of
> >
> > 'posixAccount' and to use it, you will have to add the
'uid' attribute
> >
> > to all users, you do not need to add (and in fact should not) the
> >
> > 'posixAccount' objectClass'.
> >
> >
> >
> > Rowland
>
When extending the AD schema, you normally have to add the attributes 
first, then the objectclasses i.e. split the ldif in two, one ldif 
containing the attributes and another containing the objectclasses.

Rowland

On 27/01/16 11:21, Daniele Manfredi wrote:
> Thank you Rowland!
> I have done what you suggest to me and the schema seems to be updated 
> without errors.
> Just another question: now, how can I do to manage samba users quota?
> In my old samba 3+LDAP server I am able to edit users quota as thought 
> they were standard unix users as well as users samba.....
>
>
You can set your users to be AD and Unix users, but the 'how' depends on
where the users data is stored, on a DC or a Unix domain member.

Rowland

On 27/01/16 14:23, Daniele Manfredi wrote:
> Users are stored on a AD-DC Samba 4 and are only samba users.
> I know how convert unix users to samba users but I can't do the
opposite
> Is it necessary in order to set quotas?
> *
> *
>
If the users are stored in AD, they are AD users i.e. they have a 
windows SID-RID.
If you want to set Unix quotas for data stored on a Unix machine by your 
AD users, then they must also be Unix users.
How you do this depends on the Unix machine, is it the DC or is it a 
Unix domain member ?

Rowland

On 27/01/16 14:56, Daniele Manfredi wrote:
> The Unix machine is the DC (configured to act as an Active Directory)
>
> Daniele
>
>
OK, you need to possibly create the libnss links, see here:

https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member#libnss_winbind

Once this is setup, you should be able to run 'getent passwd 
<adomainuser>' on the DC and get a result, at this point your AD users
are also local Unix users as well.

Rowland