samba - Dec 2017 - ADUC missing msNPAllowDialin and need vpn advice for ad setup.

Readin : https://wiki.samba.org/index.php/Samba_AD_schema_extensions 

Is it an option to make an ldiff for the  msNPAllowDialin  and others on that
Dail-in Tab.
Im looking at the automount example. 
Hints tips? 


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> L.P.H. van Belle via samba
> Verzonden: donderdag 14 december 2017 13:44
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] ADUC missing msNPAllowDialin and need 
> vpn advice for ad setup.
> 
> Hai Roy, 
> 
> Thanks for the reply. 
> 
> The first link, i've tried that already. 
> In these steps: 
> 1.Open ADUC or dsa.msc.
> 2.Go to View and check option for Advanced Features.
> 3.Right-click the user account and go to the Attribute Editor tab.
> 4.Locate and select the msNPAllowDialin attribute.
> 5.Select edit and change the value to the desired value
> 
> Im missing msNPAllowDailin. 
> 
> Tried that from a Win 7, samba domain joined, nothing.
> Tried that from a Win 2008R2, Not samba domain joined, again nothing. 
> 
> After adding the Dail-in tab enable on my management pc 
> (win7) im getting:
> Dail-in Page error: 
>  Could not load the Dail-in profile for this user because: 
> undefined errror.  
> 
> And this is on every user. 
> 
> The second link, i've also tried that also, but tried also 
> some extra things. 
> Now the following happens, i used workaround 2. 
> 
> From the win2008R2, accessing its own, the win2008R2 AD, 
> Dail-in tab is there, and everything looks ok. 
> Now i connect to the Samba AD, Dail-in tab is gone, but no errors. 
> Now i connect from my Win7 ( with the from 2008R2 added files 
> to enable the dailin tab, error:
>  Could not load the Dail-in profile for this user because: 
> undefined errror.  
> 
> Rowland, do you know a way to validate my AD against 
> /usr/share/samba/setup/ad-schema/MS-AD_Schema_2K8_R2_Attributes.txt
> Im really not crazy, ;-) maybe sometimes a bit, but not now ;-) 
> Or a nifty search/edit, this is one i cant figure out. 
> 
> I suspect this is a left over from an AD error about 2 years ago. 
> samba-tool fixed that but i think this is a left over, just 
> not sure about it. 
> 
> So anyone any other tips? 
> 
> Greetz, 
> 
> Louis
> 
> 
> 
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Roy 
> > Eastwood via samba
> > Verzonden: donderdag 14 december 2017 13:13
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] ADUC missing msNPAllowDialin and need 
> > vpn advice for ad setup.
> > 
> > Louis,
> > Take a look here:
> > https://windowsexplored.com/2012/10/23/installing-active-direc
> tory-and-all-those-other-little-tabs-in-windows-7-you-know-the
> -> ones-you-used-to-have-in-windows-xp/
> > 
> > At the bottom of the page it tells you how to set the 
> > msNPAllowDialin attribute using Advanced  Features of ADUC 
> > and the Attribute Editor tab despite the missing Dial-In tab.
> > 
> > If you want to restore the Dial-In tab, the Microsoft have a 
> > workaround: 
> > https://support.microsoft.com/en-us/help/975448/the-dial-in-ta
> > b-is-not-available-in-the-active-directory-users-and-com  
> > 
> > But you need access to a Windows Server 2008, which you may 
> > not have available.
> > 
> > HTH,
> > 
> > Roy
> > 
> > > -----Original Message-----
> > > From: samba [mailto:samba-bounces at lists.samba.org] On 
> > Behalf Of Rowland
> > > Penny via samba
> > > Sent: 14 December 2017 11:38
> > > To: samba at lists.samba.org
> > > Subject: Re: [Samba] ADUC missing msNPAllowDialin and need 
> > vpn advice for ad
> > > setup.
> > > 
> > > On Thu, 14 Dec 2017 12:23:43 +0100
> > > "L.P.H. van Belle via samba" <samba at
lists.samba.org> wrote:
> > > 
> > > > Hai Rowland,
> > > >
> > > >
> > > > Even that msNPAllowDialin is a standard attribute, its 
> > not in my AD
> > > > anymore, at least not within the users fields. I think in 
> > time this
> > > > disapert wil fixing things.. This setup is running and 
> > upgraded as of
> > > > samba 4.1. but thank for that info, reading that after my
lunch.
> > > >
> > > > If i have more questions, i'll mail again.
> > > > Thanks!
> > > >
> > > > Greetz,
> > > >
> > > > Louis
> > > >
> > > 
> > > Go and have a look in:
> > >  
> /usr/share/samba/setup/ad-schema/MS-AD_Schema_2K8_R2_Attributes.txt
> > > 
> > > Rowland
> > > 
> > > --
> > > To unsubscribe from this list go to the following URL and read
the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> > 
> > 
> > -- 
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> > 
> > 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

On Thu, 14 Dec 2017 13:52:29 +0100
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> 
> Readin : https://wiki.samba.org/index.php/Samba_AD_schema_extensions 
> 
> Is it an option to make an ldiff for the  msNPAllowDialin  and others
> on that Dail-in Tab. Im looking at the automount example. 
> Hints tips? 
> 
> 
> Greetz, 
> 
> Louis
OK, I take it back, I do have 'msNPAllowDialin' in AD:

root at dc1:~# ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb -b
'CN=Schema,CN=Configuration,DC=example,DC=com' -s sub
'(cn=msNPAllowDialin)'
# record 1
dn: CN=msNPAllowDialin,CN=Schema,CN=Configuration,DC=example,DC=com
objectClass: top
objectClass: attributeSchema
cn: msNPAllowDialin
instanceType: 4
whenCreated: 20171206114944.0Z
whenChanged: 20171206114944.0Z
uSNCreated: 755
attributeID: 1.2.840.113556.1.4.1119
attributeSyntax: 2.5.5.8
isSingleValued: TRUE
uSNChanged: 755
showInAdvancedViewOnly: TRUE
adminDisplayName: msNPAllowDialin
adminDescription: msNPAllowDialin
oMSyntax: 1
searchFlags: 16
lDAPDisplayName: msNPAllowDialin
name: msNPAllowDialin
objectGUID: cf7b3ec9-7055-428b-826a-41a526cca483
schemaIDGUID: db0c9085-c1f2-11d1-bbc5-0080c76670c0
attributeSecurityGUID: 037088f8-0ae1-11d2-b422-00a0c968f939
systemOnly: FALSE
systemFlags: 16
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=example,DC=c
 om
distinguishedName: CN=msNPAllowDialin,CN=Schema,CN=Configuration,DC=example,DC
 =com

# returned 1 records
# 1 entries
# 0 referrals

I created an ldif:

dn: CN=sysadmin,OU=itadmin,OU=personnel,OU=People,DC=example,DC=com
changetype: modify
add: msNPAllowDialin
msNPAllowDialin: TRUE

Added the ldif with:

ldbmodify --url=/var/lib/samba/private/sam.ldb msadd.ldif

I now have a user with the 'msNPAllowDialin' attribute

Rowland

Hai Rowland,

Ok, cool, thanks for that.
Thats good to have that confirmed, the search show the same here. 

Enabled that one, and yes, i can see the msNPAllowDailin but only in attribut
editor, Dail-in tab still errors.

Reappy-ing the file :  MS-AD_Schema_2K8_R2_Attributes.txt 
Is that possible, that "should" fix the missing parts. 
I suspect a failure in the structure of the AD. ( arg..  hard to discribe what i
mean in english )
I suspect some more parts, somewhere in 2015 i had a big ad problem, i think
this is a left over.

I looked up some thing about then, and i see i had to fix almost all my AD
objects.
That worked, everything runs fine., but i would really like my Dail-in tab
working.


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: Rowland Penny [mailto:rpenny at samba.org] 
> Verzonden: donderdag 14 december 2017 15:20
> Aan: samba at lists.samba.org
> CC: L.P.H. van Belle
> Onderwerp: Re: [Samba] ADUC missing msNPAllowDialin and need 
> vpn advice for ad setup.
> 
> On Thu, 14 Dec 2017 13:52:29 +0100
> "L.P.H. van Belle via samba" <samba at lists.samba.org>
wrote:
> 
> > 
> > Readin : 
> https://wiki.samba.org/index.php/Samba_AD_schema_extensions 
> > 
> > Is it an option to make an ldiff for the  msNPAllowDialin  
> and others
> > on that Dail-in Tab. Im looking at the automount example. 
> > Hints tips? 
> > 
> > 
> > Greetz, 
> > 
> > Louis
> 
> OK, I take it back, I do have 'msNPAllowDialin' in AD:
> 
> root at dc1:~# ldbsearch --cross-ncs -H 
> /var/lib/samba/private/sam.ldb -b 
> 'CN=Schema,CN=Configuration,DC=example,DC=com' -s sub 
> '(cn=msNPAllowDialin)'
> # record 1
> dn: CN=msNPAllowDialin,CN=Schema,CN=Configuration,DC=example,DC=com
> objectClass: top
> objectClass: attributeSchema
> cn: msNPAllowDialin
> instanceType: 4
> whenCreated: 20171206114944.0Z
> whenChanged: 20171206114944.0Z
> uSNCreated: 755
> attributeID: 1.2.840.113556.1.4.1119
> attributeSyntax: 2.5.5.8
> isSingleValued: TRUE
> uSNChanged: 755
> showInAdvancedViewOnly: TRUE
> adminDisplayName: msNPAllowDialin
> adminDescription: msNPAllowDialin
> oMSyntax: 1
> searchFlags: 16
> lDAPDisplayName: msNPAllowDialin
> name: msNPAllowDialin
> objectGUID: cf7b3ec9-7055-428b-826a-41a526cca483
> schemaIDGUID: db0c9085-c1f2-11d1-bbc5-0080c76670c0
> attributeSecurityGUID: 037088f8-0ae1-11d2-b422-00a0c968f939
> systemOnly: FALSE
> systemFlags: 16
> objectCategory: 
> CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=example,DC=c
>  om
> distinguishedName: 
> CN=msNPAllowDialin,CN=Schema,CN=Configuration,DC=example,DC
>  =com
> 
> # returned 1 records
> # 1 entries
> # 0 referrals
> 
> I created an ldif:
> 
> dn: CN=sysadmin,OU=itadmin,OU=personnel,OU=People,DC=example,DC=com
> changetype: modify
> add: msNPAllowDialin
> msNPAllowDialin: TRUE
> 
> Added the ldif with:
> 
> ldbmodify --url=/var/lib/samba/private/sam.ldb msadd.ldif
> 
> I now have a user with the 'msNPAllowDialin' attribute
> 
> Rowland
> 
>

On Thu, 14 Dec 2017 16:40:57 +0100
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> Hai Rowland,
> 
> Ok, cool, thanks for that.
> Thats good to have that confirmed, the search show the same here. 
> 
> Enabled that one, and yes, i can see the msNPAllowDailin but only in
> attribut editor, Dail-in tab still errors. 
> 
> Reappy-ing the file :  MS-AD_Schema_2K8_R2_Attributes.txt 
> Is that possible, that "should" fix the missing parts. 
> I suspect a failure in the structure of the AD. ( arg..  hard to
> discribe what i mean in english ) I suspect some more parts,
> somewhere in 2015 i had a big ad problem, i think this is a left
> over. 
> 
> I looked up some thing about then, and i see i had to fix almost all
> my AD objects. That worked, everything runs fine., but i would really
> like my Dail-in tab working. 
> 
I think I understand what you mean, the objectclass for
'msNPAllowDialin' is 'user', but it might need a structure in AD
similar to the ypServ30.ldif that makes the ADUC Unix Attributes tabs
work. What you might need is unknown to me.

Rowland

Yes, :-)) that what i mean. 

Now hope someone of the other samba devs knows. 
So, i'll wait a bit or mail to technical in a week or so.
First the new release. :-/ 


Thanks Rowland, 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: Rowland Penny [mailto:rpenny at samba.org] 
> Verzonden: donderdag 14 december 2017 17:11
> Aan: samba at lists.samba.org
> CC: L.P.H. van Belle
> Onderwerp: Re: [Samba] ADUC missing msNPAllowDialin and need 
> vpn advice for ad setup.
> 
> On Thu, 14 Dec 2017 16:40:57 +0100
> "L.P.H. van Belle via samba" <samba at lists.samba.org>
wrote:
> 
> > Hai Rowland,
> > 
> > Ok, cool, thanks for that.
> > Thats good to have that confirmed, the search show the same here. 
> > 
> > Enabled that one, and yes, i can see the msNPAllowDailin but only in
> > attribut editor, Dail-in tab still errors. 
> > 
> > Reappy-ing the file :  MS-AD_Schema_2K8_R2_Attributes.txt 
> > Is that possible, that "should" fix the missing parts. 
> > I suspect a failure in the structure of the AD. ( arg..  hard to
> > discribe what i mean in english ) I suspect some more parts,
> > somewhere in 2015 i had a big ad problem, i think this is a left
> > over. 
> > 
> > I looked up some thing about then, and i see i had to fix almost all
> > my AD objects. That worked, everything runs fine., but i 
> would really
> > like my Dail-in tab working. 
> > 
> 
> I think I understand what you mean, the objectclass for
> 'msNPAllowDialin' is 'user', but it might need a structure
in AD
> similar to the ypServ30.ldif that makes the ADUC Unix Attributes tabs
> work. What you might need is unknown to me.
> 
> Rowland
> 
>