samba - Jul 2020 - Migrate mail aliases to AD ypServ30

Mon, 20 Jul 2020 18:24:15 +0100 Rowland penny via samba <samba at
lists.samba.org>:
> On 20/07/2020 17:52, RhineDevil wrote:
> > Mon, 20 Jul 2020 11:56:57 +0100 Rowland penny via samba <samba at
lists.samba.org>:
> >> On 20/07/2020 11:11, RhineDevil via samba wrote:
> >>> How could I migrate these fields to
CN=aliases,CN=mail,CN=ypServ30,CN=RpcServices,CN=System,DC=local?
> >>>
> >>> dn: cn=abuse,ou=Aliases,DC=mydomail,DC=local
> >>> cn: abuse
> >>> objectClass: nisMailAlias
> >>> objectClass: top
> >>> rfc822MailMember: root
> >>>
> >>> dn: cn=noc,ou=Aliases,DC=mydomail,DC=local
> >>> cn: noc
> >>> objectClass: nisMailAlias
> >>> objectClass: top
> >>> rfc822MailMember: root
> >>>
> >>> dn: cn=security,ou=Aliases,DC=mydomail,DC=local
> >>> cn: security
> >>> objectClass: nisMailAlias
> >>> objectClass: top
> >>> rfc822MailMember: root
> >> First you will need the rfc822-MailMember.schema and then run that
> >> through oLschema2ldif to produce an ldif to add to AD.
> >>
> >> Doing the above, should produce something like this:
> >>
> >> dn: CN=rfc822MailMember,CN=Schema,CN=Configuration,dc=local
> >> objectClass: top
> >> objectClass: attributeSchema
> >> attributeID: 1.3.6.1.4.1.42.2.27.2.1.15
> >> schemaIdGuid:: aB7do9Dx3LkCSVgvixllpg=> >> cn:
rfc822MailMember
> >> name: rfc822MailMember
> >> lDAPDisplayName: rfc822MailMember
> >> description: rfc822 mail address of group member(s)
> >> attributeSyntax: 2.5.5.5
> >> oMSyntax: 22
> >> isSingleValued: FALSE
> >>
> >> dn: CN=nisMailAlias,CN=Schema,CN=Configuration,dc=local
> >> objectClass: top
> >> objectClass: classSchema
> >> governsID: 1.3.6.1.4.1.42.2.27.1.2.5
> >> schemaIdGuid:: gMnYtZqCPTLAMXe3RZus8A=> >> cn:
nisMailAlias
> >> name: nisMailAlias
> >> lDAPDisplayName: nisMailAlias
> >> subClassOf: top
> >> objectClassCategory: 1
> >> description: NIS mail alias
> >> mustContain: cn
> >> mayContain: rfc822MailMember
> >> defaultObjectCategory:
CN=nisMailAlias,CN=Schema,CN=Configuration,dc=local
> >>
> >> You will need to split that into two ldif's one containing the
> >> objectclass, the other the attribute.
> >>
> >> You can then add the two ldifs like this:
> >>
> >> ldbadd -H path_to_sam_ldb attr.ldif --option="dsdb:schema
update
> >> allowed"=true
> >> ldbadd -H path_to_sam_ldb class.ldif --option="dsdb:schema
update
> >> allowed"=true
> >>
> >> You could then add your ldif (modified to suit AD):
> >>
> >> dn:
> >>
cn=abuse,cn=aliases,cn=mail,cn=ypServ30,cn=RpcServices,cn=System,dc=local
> >> cn: abuse
> >> objectClass: nisMailAlias
> >> objectClass: top
> >> rfc822MailMember: root
> >>
> >> dn:
cn=noc,cn=aliases,cn=mail,cn=ypServ30,cn=RpcServices,cn=System,dc=local
> >> cn: noc
> >> objectClass: nisMailAlias
> >> objectClass: top
> >> rfc822MailMember: root
> >>
> >> dn:
> >>
cn=security,cn=aliases,cn=mail,cn=ypServ30,cn=RpcServices,cn=System,dc=local
> >> cn: security
> >> objectClass: nisMailAlias
> >> objectClass: top
> >> rfc822MailMember: root
> >>
> >> Whilst the above should work, I have never tried it. You should be
aware
> >> that extending the AD schema is a one way action, you can never
remove it.
> >>
> >> If you do extend your schema, you do this at your own risk, do not
blame
> >> me if it goes wrong.
> >>
> >> Rowland
> >>
> > Wait but
> > Wouldn't make sense taking care of this through samba-tool? Like
there's --rfc-2037, --rfc822 could be added
> 
> No, it wouldn't, basically all that adding '--rfc-2307' to the
provision
> command does, is to add the ypServ30 ldif to AD. This ldif is what 
> Microsoft added if you installed IDMU. Adding the ldif makes Samba 
> compatible with ADUC.
> 
> What you are adding is a corner case, so it would be a large amount of 
> work to update samba-tool for a very few users, or perhaps only you. 
> However, if you feel this should in samba-tool, patches are always 
> welcome ;-)
> 
> Rowland
> 
My idea would be more like adding full NIS support with an option (this is
normally achieved by using misc.schema (misc.ldif in new database-like
configuration) in OpenLDAP) but if you feel this is a corner case I won't be
pushy and I'll try to achieve this in the distros I collaborate with in
another way
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: Firma digitale OpenPGP
URL:
<http://lists.samba.org/pipermail/samba/attachments/20200720/e4cc4cc2/attachment.sig>

On 20/07/2020 19:01, RhineDevil wrote:
> Mon, 20 Jul 2020 18:24:15 +0100 Rowland penny via samba <samba at
lists.samba.org>:
>
> No, it wouldn't, basically all that adding '--rfc-2307' to the
provision
> command does, is to add the ypServ30 ldif to AD. This ldif is what
> Microsoft added if you installed IDMU. Adding the ldif makes Samba
> compatible with ADUC.
>
> What you are adding is a corner case, so it would be a large amount of
> work to update samba-tool for a very few users, or perhaps only you.
> However, if you feel this should in samba-tool, patches are always
> welcome ;-)
>
> Rowland
>
> My idea would be more like adding full NIS support with an option (this is
normally achieved by using misc.schema (misc.ldif in new database-like
configuration) in OpenLDAP) but if you feel this is a corner case I won't be
pushy and I'll try to achieve this in the distros I collaborate with in
another way
Why on earth would you want to use NIS ?

Active Directory totally replaces it and is much more secure.

Rowland

Mon, 20 Jul 2020 19:19:14 +0100 Rowland penny via samba <samba at
lists.samba.org>:
> On 20/07/2020 19:01, RhineDevil wrote:
> > Mon, 20 Jul 2020 18:24:15 +0100 Rowland penny via samba <samba at
lists.samba.org>:
> >
> > No, it wouldn't, basically all that adding '--rfc-2307' to
the provision
> > command does, is to add the ypServ30 ldif to AD. This ldif is what
> > Microsoft added if you installed IDMU. Adding the ldif makes Samba
> > compatible with ADUC.
> >
> > What you are adding is a corner case, so it would be a large amount of
> > work to update samba-tool for a very few users, or perhaps only you.
> > However, if you feel this should in samba-tool, patches are always
> > welcome ;-)
> >
> > Rowland
> >
> > My idea would be more like adding full NIS support with an option
(this is normally achieved by using misc.schema (misc.ldif in new database-like
configuration) in OpenLDAP) but if you feel this is a corner case I won't be
pushy and I'll try to achieve this in the distros I collaborate with in
another way
> 
> Why on earth would you want to use NIS ?
> 
> Active Directory totally replaces it and is much more secure.
> 
> Rowland
> 
How should I migrate NIS data in flat files in ActiveDirectory then?
Things like fstab, aliases, mail etc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: Firma digitale OpenPGP
URL:
<http://lists.samba.org/pipermail/samba/attachments/20200721/469924a4/attachment.sig>