Hi,>Ah, I think I see the problem, If I remember correctly, you joined the >the Samba DC to a Windows DC and if you didn't have IDMU installed on >the Windows DC, you wouldn't get the required objects in AD created on >the Samba DC either.Really, IDMU was not installed. There is the file ypServ30.ldif ls /usr/share/samba/setup/ ... ypServ30.ldif But, I believe the extension is not enabled: ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=empresa,DC=com,DC=br cn search error - No such Base DN: CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=empresa,DC=com,DC=br This way, Do I need to install NIS (apt-get install nis) or only Replace the variables in LDIF file with the domain distinguished name (DN), NetBIOS name, and the NIS domain ? Regards, M?rcio Bacci Em seg, 19 de ago de 2019 ?s 11:53, Rowland penny via samba < samba at lists.samba.org> escreveu:> On 19/08/2019 15:12, Marcio Demetrio Bacci wrote: > > Hi, > > >How are you trying to create the Unix (RFC2307) attributes ? > > I am following the article: > > > https://wiki.samba.org/index.php/Maintaining_Unix_Attributes_in_AD_using_ADUC > > > > Open ADUC. > > Right-click to a user account and choose properties. > > Navigate to the "UNIX Attributes" tab. > Do you have the IDMU server installed on the Windows DC ? > > > > >Also, what do you mean by 'it doesn't bother any NIS server' ? > > Sorry, Google translated it wrong. > > Did you mean: Not appear the domain name to select in the NIS Domain > > field. > > > > >Do you mean that the RFC2307 attributes are not being used ? > > No. > OK > > Do I need change my smb.conf from: > > > > # Global parameters > > [global] > > workgroup = EMPRESA > > realm = EMPRESA.COM.BR <http://EMPRESA.COM.BR> > > netbios name = EMPRESA > > server role = active directory domain controller > > dns forwarder = 192.168.1.1 > > ldap server require strong auth = no > > > > [netlogon] > > path = /usr/local/samba/var/locks/sysvol/empresa.com.br/scripts > > <http://empresa.com.br/scripts> > > read only = No > > > > [sysvol] > > path = /usr/local/samba/var/locks/sysvol > > read only = No > > acl_xattr:ignore system acls = yes > > > > To > > > > # Global parameters > > [global] > > workgroup = EMPRESA > > realm = EMPRESA.COM.BR <http://EMPRESA.COM.BR> > > netbios name = EMPRESA > > server role = active directory domain controller > > dns forwarder = 192.168.1.1 > > idmap_ldb:use rfc2307 = yes > > ldap server require strong auth = no > > > > [netlogon] > > path = /usr/local/samba/var/locks/sysvol/empresa.com.br/scripts > > <http://empresa.com.br/scripts> > > read only = No > > > > [sysvol] > > path = /usr/local/samba/var/locks/sysvol > > read only = No > > acl_xattr:ignore system acls = yes > > > Ah, I think I see the problem, If I remember correctly, you joined the > the Samba DC to a Windows DC and if you didn't have IDMU installed on > the Windows DC, you wouldn't get the required objects in AD created on > the Samba DC either. > > All the RFC2307 attributes are in the AD schema by default, so they are > available for use. > > You have a few options: > > Check if IDMU is installed and install it if not. > > Install the ypServ30.ldif on the Samba DC > (/usr/share/samba/setup/ypServ30.ldif), see here: > > > https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Installing_the_NIS_Extensions > > Write your own script using ldbmodify or ldapmodify to add the uidNumber > & gidNumber attributes. > > You should be aware that even if you do any of the above, your users > will still get Domain Users as their primary group on the DC. > > To get your AD users to show on your Samba AD DC, you need to have > libnss-winbind. libpam-krb5 & libpam-winbind installed and ensure the > 'passwd' & 'group' lines in /etc/nsswitch.conf look like this: > > passwd: compat winbind > group: compat winbind > > If you do the above, you should get your users & groups without doing > any of the above, but the IDs will be in the '3000000' range. > > Rowland > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On 19/08/2019 21:45, Marcio Demetrio Bacci wrote:> Hi, > > >Ah, I think I see the problem, If I remember correctly, you joined the > >the Samba DC to a Windows DC and if you didn't have IDMU installed on > >the Windows DC, you wouldn't get the required objects in AD created on > >the Samba DC either. > > Really, IDMU was not installed. > > > There is the file ypServ30.ldif > ls /usr/share/samba/setup/ > ... > ?ypServ30.ldif > > But, I believe the extension is not enabled: > > ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b > CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=empresa,DC=com,DC=br > cn > search error - No such Base DN: > CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=empresa,DC=com,DC=br > > > This way, Do I need to install NIS (apt-get install nis) or only > Replace the variables in LDIF file with the domain distinguished name > (DN), NetBIOS name, and the NIS domain ?No, yes, yes and sort of ;-) No, you do not install NIS Yes, you replace '${DOMAINDN}' with 'DC=empresa,DC=com,DC=br' Yes, you replace '${NETBIOSNAME}' with the DCs short hostname in uppercase You replace '${NISDOMAIN}' (that is a bad name) with the workgroup name in lowercase. ypServ30.ldif is what installing IDMU on a Windows adds to AD and is normally only added to Samba if you provision a new domain with '--use-rfc2307' Rowland
Hi, I performed the procedures below on Samba4-DC1 (Master) and apparently everything went fine. /etc/init.d/samba-ad-dc stop sed -i -e 's/${DOMAINDN}/DC=empresa,DC=com,DC=br/g' \ -e 's/${NETBIOSNAME}/SAMBA4-DC1/g' \ -e 's/${NISDOMAIN}/empresa/g' \ /tmp/ypServ30.ldif root at samba4-dc1:/tmp# ldbmodify -H /var/lib/samba/private/sam.ldb /tmp/ypServ30.ldif --option="dsdb:schema update allowed"=true Modified 55 records successfully /etc/init.d/samba-ad-dc start ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=empresa,DC=com,DC=br cn # record 1 dn: CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=empresa,DC=com,DC=br cn: ypservers # returned 1 records # 1 entries # 0 referrals However I noticed that an error arose in replication with Samba4-DC2, as follows: samba-tool drs showrepl ... CN=Schema,CN=Configuration,DC=empresa,DC=com,DC=br Default-First-Site-Name\SAMBA4-DC2 via RPC DSA object GUID: 45b5b534-9bcc-483c-8f6d-5bbc37dc35e9 Last attempt @ Mon Aug 19 22:28:59 2019 -03 failed, result 64 (WERR_NETNAME_DELETED) 1 consecutive failure(s). Last success @ Mon Aug 19 22:07:23 2019 -03 How can I solve this problem? Regards, M?rcio Bacci Em seg, 19 de ago de 2019 ?s 18:05, Rowland penny via samba < samba at lists.samba.org> escreveu:> On 19/08/2019 21:45, Marcio Demetrio Bacci wrote: > > Hi, > > > > >Ah, I think I see the problem, If I remember correctly, you joined the > > >the Samba DC to a Windows DC and if you didn't have IDMU installed on > > >the Windows DC, you wouldn't get the required objects in AD created on > > >the Samba DC either. > > > > Really, IDMU was not installed. > > > > > > There is the file ypServ30.ldif > > ls /usr/share/samba/setup/ > > ... > > ypServ30.ldif > > > > But, I believe the extension is not enabled: > > > > ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b > > > CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=empresa,DC=com,DC=br > > cn > > search error - No such Base DN: > > CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=empresa,DC=com,DC=br > > > > > > This way, Do I need to install NIS (apt-get install nis) or only > > Replace the variables in LDIF file with the domain distinguished name > > (DN), NetBIOS name, and the NIS domain ? > > No, yes, yes and sort of ;-) > > No, you do not install NIS > > Yes, you replace '${DOMAINDN}' with 'DC=empresa,DC=com,DC=br' > > Yes, you replace '${NETBIOSNAME}' with the DCs short hostname in uppercase > > You replace '${NISDOMAIN}' (that is a bad name) with the workgroup name > in lowercase. > > ypServ30.ldif is what installing IDMU on a Windows adds to AD and is > normally only added to Samba if you provision a new domain with > '--use-rfc2307' > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >