samba - Aug 2017 - objectclass "posixAccount" missing on new created users

Hello,
I made an upgrade from sernet-samba 4.3.11 to sernet-samba 4.6.7.
With samba 4.3.11 all created users contained the objectclass
"posixAccount".
With samba 4.6.7 they don't.

We have a NetApp-Storage-Server which exports nfs4-mounts (with kerberos).
Yesterday I wanted to change the owner of a directory and "chown"
threw an error "invalid argument".
It was the new created user which the NetApp didnt want to accept and caused
that error.

So the NetApp accepts only users which derive from "posixAccount".

The parameter "idmap_ldb:use rfc2307 = yes" is set in smb.conf.
"ldbsearch .. CN=ypservers,.." returns one record.

With "ldbmodify add ..." I can add the objectclass
"posixAccount", but is this the right way ?



2 more informations about our enviroment:
- User-authentication on all linux-clients is based on sssd.

- users here have 2 homedirectories, one comes from a central server and is
exported
via nfsv3 and another one from our department.
When I create a new user, I have to set uidNumber and gidNumber which I get from
the central
account so that the users have also access of the central homedirectory which is
also mounted
on our clients.

Regards

On Thu, 17 Aug 2017 09:39:07 +0200
gizmo via samba <samba at lists.samba.org> wrote:
> Hello,
> I made an upgrade from sernet-samba 4.3.11 to sernet-samba 4.6.7.
> With samba 4.3.11 all created users contained the objectclass
> "posixAccount". With samba 4.6.7 they don't.
> 
> We have a NetApp-Storage-Server which exports nfs4-mounts (with
> kerberos). Yesterday I wanted to change the owner of a directory and
> "chown" threw an error "invalid argument". It was the
new created
> user which the NetApp didnt want to accept and caused that error.
> 
> So the NetApp accepts only users which derive from
"posixAccount".
> 
> The parameter "idmap_ldb:use rfc2307 = yes" is set in smb.conf.
> "ldbsearch .. CN=ypservers,.." returns one record.
> 
> With "ldbmodify add ..." I can add the objectclass
"posixAccount",
> but is this the right way ?
No, definitely not, 'posixAccount' is an auxiliary objectclass of
'user' and as such never appears in AD. If your NetApp needs
'posixAccount when connecting to AD, then your NetApp is what is
broken.
 
> 
> 
> 
> 2 more informations about our enviroment:
> - User-authentication on all linux-clients is based on sssd.
I am going to stop there, sssd has nothing to do with Samba, go and ask
on the sssd-users list, or use winbind instead (note: winbind can do
everything sssd can do).

Rowland

On Thu, 2017-08-17 at 09:08 +0100, Rowland Penny via samba
wrote:
> On Thu, 17 Aug 2017 09:39:07 +0200
> gizmo via samba <samba at lists.samba.org> wrote:
> 
> > Hello,
> > I made an upgrade from sernet-samba 4.3.11 to sernet-samba 4.6.7.
> > With samba 4.3.11 all created users contained the objectclass
> > "posixAccount". With samba 4.6.7 they don't.
> > 
> > We have a NetApp-Storage-Server which exports nfs4-mounts (with
> > kerberos). Yesterday I wanted to change the owner of a directory and
> > "chown" threw an error "invalid argument". It was
the new created
> > user which the NetApp didnt want to accept and caused that error.
> > 
> > So the NetApp accepts only users which derive from
"posixAccount".
> > 
> > The parameter "idmap_ldb:use rfc2307 = yes" is set in
smb.conf.
> > "ldbsearch .. CN=ypservers,.." returns one record.
> > 
> > With "ldbmodify add ..." I can add the objectclass
"posixAccount",
> > but is this the right way ?
> 
> No, definitely not, 'posixAccount' is an auxiliary objectclass of
> 'user' and as such never appears in AD. If your NetApp needs
> 'posixAccount when connecting to AD, then your NetApp is what is
> broken.
Yes, sadly for you Rowland was successful in advancing the argument
that samba-tool should be no more helpful than ADUC when adding users
to the directory, so with more recent versions we no longer add
posixAccount as an auxillary class. 

You can of course add it by modifying the objectClass attribute, it is
a perfectly valid part of the AD schema, just not there by default. 
> > 
> > 
> > 
> > 2 more informations about our enviroment:
> > - User-authentication on all linux-clients is based on sssd.
> 
> I am going to stop there, sssd has nothing to do with Samba, go and ask
> on the sssd-users list, or use winbind instead (note: winbind can do
> everything sssd can do).
What the clients use has no direct impact on what the member server
(the NetApp) does, but it is helpful to know as it impacts the chown. 
I'm assuming you have a valid posix (via sssd) user here first, but
that the NetApp requires the user to be on the server, not just
respecting the raw UID?

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba