Hello, we have a single DC after a clssicupgrade and we need to extend the schema. So we created a attrib.ldif with all our attributes and a object.ldif to add the attributes to the "CN=User" Object. We tested the two ldif-files on a DC with only a few users and groups and it works fine. Then we did the classicupgrade (same NC as the test-system) we have more then 30.000 users after the classicupgrade. Then we did the schema extension with the same ldif-files. During the process the DB was reindexed. Then wie looked at a user in the "attribute editor" in ADUC of one of the users. We can't see the additional attributes. We reindexed the DB and got the following messages: --------------- root at addc01:~# samba-tool dbcheck --reindex Re-indexing... Reindexing: re-keyed 10000 records so far Reindexing: re-keyed 20000 records so far Reindexing: re-keyed 30000 records so far Reindexing: re-indexed 10000 records so far Reindexing: re-indexed 20000 records so far Reindexing: re-indexed 30000 records so far Reindexing: re_index successful on /var/lib/samba/private/sam.ldb.d/DC=EXAMPLE,DC=DE.ldb, final index write-out will be in transaction commit completed re-index OK---- ------------- It looks like the reindexing was working, but we still can't use the attributes. Can it be that it takes a long time because of the 30.000 Users. Greetings Stefan
On Wed, 21 Nov 2018 10:06:06 +0100 Stefan Kania via samba <samba at lists.samba.org> wrote:> Hello, > > we have a single DC after a clssicupgrade and we need to extend the > schema. So we created a attrib.ldif with all our attributes and a > object.ldif to add the attributes to the "CN=User" Object. We tested > the two ldif-files on a DC with only a few users and groups and it > works fine. Then we did the classicupgrade (same NC as the > test-system) we have more then 30.000 users after the classicupgrade. > Then we did the schema extension with the same ldif-files. During the > process the DB was reindexed. Then wie looked at a user in the > "attribute editor" in ADUC of one of the users. We can't see the > additional attributes. We reindexed the DB and got the following > messages: --------------- > root at addc01:~# samba-tool dbcheck --reindex > Re-indexing... > Reindexing: re-keyed 10000 records so far > Reindexing: re-keyed 20000 records so far > Reindexing: re-keyed 30000 records so far > Reindexing: re-indexed 10000 records so far > Reindexing: re-indexed 20000 records so far > Reindexing: re-indexed 30000 records so far > Reindexing: re_index successful on > /var/lib/samba/private/sam.ldb.d/DC=EXAMPLE,DC=DE.ldb, final index > write-out will be in transaction commit > completed re-index OK---- > ------------- > It looks like the reindexing was working, but we still can't use the > attributes. Can it be that it takes a long time because of the 30.000 > Users. >Have you tried an ldap search on a user to rule out an ADUC problem ? What are the attributes for ? Rowland
On Wed, 21 Nov 2018 10:06:06 +0100 Stefan Kania via samba <samba at lists.samba.org> wrote:> Hello, > > we have a single DC after a clssicupgrade and we need to extend the > schema. So we created a attrib.ldif with all our attributes and a > object.ldif to add the attributes to the "CN=User" Object. We tested > the two ldif-files on a DC with only a few users and groups and it > works fine. Then we did the classicupgrade (same NC as the > test-system) we have more then 30.000 users after the classicupgrade. > Then we did the schema extension with the same ldif-files. During the > process the DB was reindexed. Then wie looked at a user in the > "attribute editor" in ADUC of one of the users. We can't see the > additional attributes. We reindexed the DB and got the following > messages: --------------- > root at addc01:~# samba-tool dbcheck --reindex > Re-indexing... > Reindexing: re-keyed 10000 records so far > Reindexing: re-keyed 20000 records so far > Reindexing: re-keyed 30000 records so far > Reindexing: re-indexed 10000 records so far > Reindexing: re-indexed 20000 records so far > Reindexing: re-indexed 30000 records so far > Reindexing: re_index successful on > /var/lib/samba/private/sam.ldb.d/DC=EXAMPLE,DC=DE.ldb, final index > write-out will be in transaction commit > completed re-index OK---- > ------------- > It looks like the reindexing was working, but we still can't use the > attributes. Can it be that it takes a long time because of the 30.000 > Users. > > Greetings > > Stefan >Another thought, You carried out a classicupgrade, then extended the schema. Did you then add the attributes to the users ? Rowland
Am 21.11.2018 10:22, schrieb Rowland Penny via samba:> On Wed, 21 Nov 2018 10:06:06 +0100 > Stefan Kania via samba <samba at lists.samba.org> wrote: > >> Hello, >> >> we have a single DC after a clssicupgrade and we need to extend the >> schema. So we created a attrib.ldif with all our attributes and a >> object.ldif to add the attributes to the "CN=User" Object. We tested >> the two ldif-files on a DC with only a few users and groups and it >> works fine. Then we did the classicupgrade (same NC as the >> test-system) we have more then 30.000 users after the classicupgrade. >> Then we did the schema extension with the same ldif-files. During the >> process the DB was reindexed. Then wie looked at a user in the >> "attribute editor" in ADUC of one of the users. We can't see the >> additional attributes. We reindexed the DB and got the following >> messages: --------------- >> root at addc01:~# samba-tool dbcheck --reindex >> Re-indexing... >> Reindexing: re-keyed 10000 records so far >> Reindexing: re-keyed 20000 records so far >> Reindexing: re-keyed 30000 records so far >> Reindexing: re-indexed 10000 records so far >> Reindexing: re-indexed 20000 records so far >> Reindexing: re-indexed 30000 records so far >> Reindexing: re_index successful on >> /var/lib/samba/private/sam.ldb.d/DC=EXAMPLE,DC=DE.ldb, final index >> write-out will be in transaction commit >> completed re-index OK---- >> ------------- >> It looks like the reindexing was working, but we still can't use the >> attributes. Can it be that it takes a long time because of the 30.000 >> Users. >> > > Have you tried an ldap search on a user to rule out an ADUC problem ? > What are the attributes for ? > > RowlandHi Rowland, the problem WAS the ADUC! The first try to put the attributes into the new AD failed, so we reseted the VM (the win10 client with ADUC was still in the domain). We fixed the problem in the ldif and rerun the schema extension. We did not see the attributes in ADUC, so we changed the new attributes via a ldif-file to on of pur users,this worked fine. We then removed the profile from the domain-admin from the windows 10 maschine, logged in with a new profile and everything was fine. So the problem is, that the ADUC safes the schema-settings inside the profile of the user who accesses the AD. As far as we figured out it is not possible to get the new information into the ADUC, only if you delete the profile of the user. THAT SU... Your hint with the ADUC send us on the right track Thank you Stefan -- Stefan Kania Landweg 13 25693 St. Michaelisdonn Signieren jeder E-Mail hilft Spam zu reduzieren. Signieren Sie ihre E-Mail. Weiter Informationen unter http://www.gnupg.org Mein Schlüssel liegt auf hkp://subkeys.pgp.net