Andrew Bartlett
2017-Aug-17 08:34 UTC
[Samba] objectclass "posixAccount" missing on new created users
On Thu, 2017-08-17 at 09:08 +0100, Rowland Penny via samba wrote:> On Thu, 17 Aug 2017 09:39:07 +0200 > gizmo via samba <samba at lists.samba.org> wrote: > > > Hello, > > I made an upgrade from sernet-samba 4.3.11 to sernet-samba 4.6.7. > > With samba 4.3.11 all created users contained the objectclass > > "posixAccount". With samba 4.6.7 they don't. > > > > We have a NetApp-Storage-Server which exports nfs4-mounts (with > > kerberos). Yesterday I wanted to change the owner of a directory and > > "chown" threw an error "invalid argument". It was the new created > > user which the NetApp didnt want to accept and caused that error. > > > > So the NetApp accepts only users which derive from "posixAccount". > > > > The parameter "idmap_ldb:use rfc2307 = yes" is set in smb.conf. > > "ldbsearch .. CN=ypservers,.." returns one record. > > > > With "ldbmodify add ..." I can add the objectclass "posixAccount", > > but is this the right way ? > > No, definitely not, 'posixAccount' is an auxiliary objectclass of > 'user' and as such never appears in AD. If your NetApp needs > 'posixAccount when connecting to AD, then your NetApp is what is > broken.Yes, sadly for you Rowland was successful in advancing the argument that samba-tool should be no more helpful than ADUC when adding users to the directory, so with more recent versions we no longer add posixAccount as an auxillary class. You can of course add it by modifying the objectClass attribute, it is a perfectly valid part of the AD schema, just not there by default.> > > > > > > > 2 more informations about our enviroment: > > - User-authentication on all linux-clients is based on sssd. > > I am going to stop there, sssd has nothing to do with Samba, go and ask > on the sssd-users list, or use winbind instead (note: winbind can do > everything sssd can do).What the clients use has no direct impact on what the member server (the NetApp) does, but it is helpful to know as it impacts the chown. I'm assuming you have a valid posix (via sssd) user here first, but that the NetApp requires the user to be on the server, not just respecting the raw UID? Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Rowland Penny
2017-Aug-17 08:50 UTC
[Samba] objectclass "posixAccount" missing on new created users
On Thu, 17 Aug 2017 20:34:00 +1200 Andrew Bartlett via samba <samba at lists.samba.org> wrote:> On Thu, 2017-08-17 at 09:08 +0100, Rowland Penny via samba wrote: > > On Thu, 17 Aug 2017 09:39:07 +0200 > > gizmo via samba <samba at lists.samba.org> wrote: > > > > > Hello, > > > I made an upgrade from sernet-samba 4.3.11 to sernet-samba 4.6.7. > > > With samba 4.3.11 all created users contained the objectclass > > > "posixAccount". With samba 4.6.7 they don't. > > > > > > We have a NetApp-Storage-Server which exports nfs4-mounts (with > > > kerberos). Yesterday I wanted to change the owner of a directory > > > and "chown" threw an error "invalid argument". It was the new > > > created user which the NetApp didnt want to accept and caused > > > that error. > > > > > > So the NetApp accepts only users which derive from "posixAccount". > > > > > > The parameter "idmap_ldb:use rfc2307 = yes" is set in smb.conf. > > > "ldbsearch .. CN=ypservers,.." returns one record. > > > > > > With "ldbmodify add ..." I can add the objectclass "posixAccount", > > > but is this the right way ? > > > > No, definitely not, 'posixAccount' is an auxiliary objectclass of > > 'user' and as such never appears in AD. If your NetApp needs > > 'posixAccount when connecting to AD, then your NetApp is what is > > broken. > > Yes, sadly for you Rowland was successful in advancing the argument > that samba-tool should be no more helpful than ADUC when adding users > to the directory, so with more recent versions we no longer add > posixAccount as an auxillary class. > > You can of course add it by modifying the objectClass attribute, it is > a perfectly valid part of the AD schema, just not there by default.Yes Andrew, it is there, but NO windows tools add it and as we actively encourage the use of ADUC, we shouldn't encourage adding it.> > > > > > > > > > > > > 2 more informations about our enviroment: > > > - User-authentication on all linux-clients is based on sssd. > > > > I am going to stop there, sssd has nothing to do with Samba, go and > > ask on the sssd-users list, or use winbind instead (note: winbind > > can do everything sssd can do). > > What the clients use has no direct impact on what the member server > (the NetApp) does, but it is helpful to know as it impacts the chown. > I'm assuming you have a valid posix (via sssd) user here first, but > that the NetApp requires the user to be on the server, not just > respecting the raw UID?If you are referring to a user being in /etc/passwd on the NetApp and in AD, you know this is not allowed, a user can be in /etc/passwd or in AD, the user cannot be in both. Rowland
mathias dufresne
2017-Aug-17 10:10 UTC
[Samba] objectclass "posixAccount" missing on new created users
I don't played much recntly with NetApp filers but as they are supposed to work well with MS AD I expected you don't really needs posixAccount objectClass. So a google search leads me there: https://kb.netapp.com/support/s/article/ka31A0000008hesQAA/how-to-configure-ldap-on-a-filer-to-connect-to-microsoft-s-active-directory-ldap-implementation?language=en_US Perhaps it's not what you are looking for but there are these two options described in that link which could be helpful: ldap.nssmap.objectClass.posixAccount User ldap.nssmap.objectClass.posixGroup Group 2017-08-17 10:50 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:> On Thu, 17 Aug 2017 20:34:00 +1200 > Andrew Bartlett via samba <samba at lists.samba.org> wrote: > > > On Thu, 2017-08-17 at 09:08 +0100, Rowland Penny via samba wrote: > > > On Thu, 17 Aug 2017 09:39:07 +0200 > > > gizmo via samba <samba at lists.samba.org> wrote: > > > > > > > Hello, > > > > I made an upgrade from sernet-samba 4.3.11 to sernet-samba 4.6.7. > > > > With samba 4.3.11 all created users contained the objectclass > > > > "posixAccount". With samba 4.6.7 they don't. > > > > > > > > We have a NetApp-Storage-Server which exports nfs4-mounts (with > > > > kerberos). Yesterday I wanted to change the owner of a directory > > > > and "chown" threw an error "invalid argument". It was the new > > > > created user which the NetApp didnt want to accept and caused > > > > that error. > > > > > > > > So the NetApp accepts only users which derive from "posixAccount". > > > > > > > > The parameter "idmap_ldb:use rfc2307 = yes" is set in smb.conf. > > > > "ldbsearch .. CN=ypservers,.." returns one record. > > > > > > > > With "ldbmodify add ..." I can add the objectclass "posixAccount", > > > > but is this the right way ? > > > > > > No, definitely not, 'posixAccount' is an auxiliary objectclass of > > > 'user' and as such never appears in AD. If your NetApp needs > > > 'posixAccount when connecting to AD, then your NetApp is what is > > > broken. > > > > Yes, sadly for you Rowland was successful in advancing the argument > > that samba-tool should be no more helpful than ADUC when adding users > > to the directory, so with more recent versions we no longer add > > posixAccount as an auxillary class. > > > > You can of course add it by modifying the objectClass attribute, it is > > a perfectly valid part of the AD schema, just not there by default. > > Yes Andrew, it is there, but NO windows tools add it and as we > actively encourage the use of ADUC, we shouldn't encourage adding it. > > > > > > > > > > > > > > > > > > > 2 more informations about our enviroment: > > > > - User-authentication on all linux-clients is based on sssd. > > > > > > I am going to stop there, sssd has nothing to do with Samba, go and > > > ask on the sssd-users list, or use winbind instead (note: winbind > > > can do everything sssd can do). > > > > What the clients use has no direct impact on what the member server > > (the NetApp) does, but it is helpful to know as it impacts the chown. > > I'm assuming you have a valid posix (via sssd) user here first, but > > that the NetApp requires the user to be on the server, not just > > respecting the raw UID? > > If you are referring to a user being in /etc/passwd on the NetApp and > in AD, you know this is not allowed, a user can be in /etc/passwd or > in AD, the user cannot be in both. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >