Hi,>Ah, I think I see the problem, If I remember correctly, you joined the >the Samba DC to a Windows DC and if you didn't have IDMU installed on >the Windows DC, you wouldn't get the required objects in AD created on >the Samba DC either.Really, IDMU was not installed. There is the file ypServ30.ldif ls /usr/share/samba/setup/ ... ypServ30.ldif But, I believe the extension is not enabled: ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=empresa,DC=com,DC=br cn search error - No such Base DN: CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=empresa,DC=com,DC=br This way, Do I need to install NIS (apt-get install nis) or only Replace the variables in LDIF file with the domain distinguished name (DN), NetBIOS name, and the NIS domain ? Regards, M?rcio Bacci Em seg, 19 de ago de 2019 ?s 11:53, Rowland penny via samba < samba at lists.samba.org> escreveu:> On 19/08/2019 15:12, Marcio Demetrio Bacci wrote: > > Hi, > > >How are you trying to create the Unix (RFC2307) attributes ? > > I am following the article: > > > https://wiki.samba.org/index.php/Maintaining_Unix_Attributes_in_AD_using_ADUC > > > > Open ADUC. > > Right-click to a user account and choose properties. > > Navigate to the "UNIX Attributes" tab. > Do you have the IDMU server installed on the Windows DC ? > > > > >Also, what do you mean by 'it doesn't bother any NIS server' ? > > Sorry, Google translated it wrong. > > Did you mean: Not appear the domain name to select in the NIS Domain > > field. > > > > >Do you mean that the RFC2307 attributes are not being used ? > > No. > OK > > Do I need change my smb.conf from: > > > > # Global parameters > > [global] > > workgroup = EMPRESA > > realm = EMPRESA.COM.BR <http://EMPRESA.COM.BR> > > netbios name = EMPRESA > > server role = active directory domain controller > > dns forwarder = 192.168.1.1 > > ldap server require strong auth = no > > > > [netlogon] > > path = /usr/local/samba/var/locks/sysvol/empresa.com.br/scripts > > <http://empresa.com.br/scripts> > > read only = No > > > > [sysvol] > > path = /usr/local/samba/var/locks/sysvol > > read only = No > > acl_xattr:ignore system acls = yes > > > > To > > > > # Global parameters > > [global] > > workgroup = EMPRESA > > realm = EMPRESA.COM.BR <http://EMPRESA.COM.BR> > > netbios name = EMPRESA > > server role = active directory domain controller > > dns forwarder = 192.168.1.1 > > idmap_ldb:use rfc2307 = yes > > ldap server require strong auth = no > > > > [netlogon] > > path = /usr/local/samba/var/locks/sysvol/empresa.com.br/scripts > > <http://empresa.com.br/scripts> > > read only = No > > > > [sysvol] > > path = /usr/local/samba/var/locks/sysvol > > read only = No > > acl_xattr:ignore system acls = yes > > > Ah, I think I see the problem, If I remember correctly, you joined the > the Samba DC to a Windows DC and if you didn't have IDMU installed on > the Windows DC, you wouldn't get the required objects in AD created on > the Samba DC either. > > All the RFC2307 attributes are in the AD schema by default, so they are > available for use. > > You have a few options: > > Check if IDMU is installed and install it if not. > > Install the ypServ30.ldif on the Samba DC > (/usr/share/samba/setup/ypServ30.ldif), see here: > > > https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Installing_the_NIS_Extensions > > Write your own script using ldbmodify or ldapmodify to add the uidNumber > & gidNumber attributes. > > You should be aware that even if you do any of the above, your users > will still get Domain Users as their primary group on the DC. > > To get your AD users to show on your Samba AD DC, you need to have > libnss-winbind. libpam-krb5 & libpam-winbind installed and ensure the > 'passwd' & 'group' lines in /etc/nsswitch.conf look like this: > > passwd: compat winbind > group: compat winbind > > If you do the above, you should get your users & groups without doing > any of the above, but the IDs will be in the '3000000' range. > > Rowland > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On 19/08/2019 21:45, Marcio Demetrio Bacci wrote:> Hi, > > >Ah, I think I see the problem, If I remember correctly, you joined the > >the Samba DC to a Windows DC and if you didn't have IDMU installed on > >the Windows DC, you wouldn't get the required objects in AD created on > >the Samba DC either. > > Really, IDMU was not installed. > > > There is the file ypServ30.ldif > ls /usr/share/samba/setup/ > ... > ?ypServ30.ldif > > But, I believe the extension is not enabled: > > ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b > CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=empresa,DC=com,DC=br > cn > search error - No such Base DN: > CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=empresa,DC=com,DC=br > > > This way, Do I need to install NIS (apt-get install nis) or only > Replace the variables in LDIF file with the domain distinguished name > (DN), NetBIOS name, and the NIS domain ?No, yes, yes and sort of ;-) No, you do not install NIS Yes, you replace '${DOMAINDN}' with 'DC=empresa,DC=com,DC=br' Yes, you replace '${NETBIOSNAME}' with the DCs short hostname in uppercase You replace '${NISDOMAIN}' (that is a bad name) with the workgroup name in lowercase. ypServ30.ldif is what installing IDMU on a Windows adds to AD and is normally only added to Samba if you provision a new domain with '--use-rfc2307' Rowland
Hi,
I performed the procedures below on Samba4-DC1 (Master) and apparently
everything went fine.
/etc/init.d/samba-ad-dc stop
sed -i -e 's/${DOMAINDN}/DC=empresa,DC=com,DC=br/g' \
-e 's/${NETBIOSNAME}/SAMBA4-DC1/g' \
-e 's/${NISDOMAIN}/empresa/g' \
/tmp/ypServ30.ldif
root at samba4-dc1:/tmp# ldbmodify -H /var/lib/samba/private/sam.ldb
/tmp/ypServ30.ldif --option="dsdb:schema update allowed"=true
Modified 55 records successfully
/etc/init.d/samba-ad-dc start
ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b
CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=empresa,DC=com,DC=br cn
# record 1
dn:
CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=empresa,DC=com,DC=br
cn: ypservers
# returned 1 records
# 1 entries
# 0 referrals
However I noticed that an error arose in replication with Samba4-DC2, as
follows:
samba-tool drs showrepl
...
CN=Schema,CN=Configuration,DC=empresa,DC=com,DC=br
Default-First-Site-Name\SAMBA4-DC2 via RPC
DSA object GUID: 45b5b534-9bcc-483c-8f6d-5bbc37dc35e9
Last attempt @ Mon Aug 19 22:28:59 2019 -03 failed, result
64 (WERR_NETNAME_DELETED)
1 consecutive failure(s).
Last success @ Mon Aug 19 22:07:23 2019 -03
How can I solve this problem?
Regards,
M?rcio Bacci
Em seg, 19 de ago de 2019 ?s 18:05, Rowland penny via samba <
samba at lists.samba.org> escreveu:
> On 19/08/2019 21:45, Marcio Demetrio Bacci wrote:
> > Hi,
> >
> > >Ah, I think I see the problem, If I remember correctly, you joined
the
> > >the Samba DC to a Windows DC and if you didn't have IDMU
installed on
> > >the Windows DC, you wouldn't get the required objects in AD
created on
> > >the Samba DC either.
> >
> > Really, IDMU was not installed.
> >
> >
> > There is the file ypServ30.ldif
> > ls /usr/share/samba/setup/
> > ...
> > ypServ30.ldif
> >
> > But, I believe the extension is not enabled:
> >
> > ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b
> >
> CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=empresa,DC=com,DC=br
> > cn
> > search error - No such Base DN:
> >
CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=empresa,DC=com,DC=br
> >
> >
> > This way, Do I need to install NIS (apt-get install nis) or only
> > Replace the variables in LDIF file with the domain distinguished name
> > (DN), NetBIOS name, and the NIS domain ?
>
> No, yes, yes and sort of ;-)
>
> No, you do not install NIS
>
> Yes, you replace '${DOMAINDN}' with
'DC=empresa,DC=com,DC=br'
>
> Yes, you replace '${NETBIOSNAME}' with the DCs short hostname in
uppercase
>
> You replace '${NISDOMAIN}' (that is a bad name) with the workgroup
name
> in lowercase.
>
> ypServ30.ldif is what installing IDMU on a Windows adds to AD and is
> normally only added to Samba if you provision a new domain with
> '--use-rfc2307'
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>