On Mon, 2021-11-29 at 15:40 +0100, Victor Rodriguez via samba wrote:> Hello, > > I am migrating an ancient Windows 2003 SBS to Samba using Zentyal > (Ubuntu 20.04.3 LTS + Samba version 4.13.14-Ubuntu from Ubutu > official > repo). Everything seems to be working properly. > > After migration I have detected that many users have elements missing > in > LDAP, like "uidNumber", "gidNumber", "lastLogon" or > "userAccountControl":Did they have them before the 'migration' ? How did you 'migrate' the domain I can understand the first two being missing, but not the last two.> > --- > > ldbsearch --url=ldap://va-dc-001 -b DC=domain,DC=company,DC=local -P > -s > sub '(&(objectSid=S-1-5-21-***-***-***-1392))' > > [...] > > # record 1 > dn: CN=user1,OU=usersOU,DC=domain,DC=company,DC=local > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: user > cn: User1 > sn: Surname > givenName: User1 > displayName: User1 Surname > name: User1 Surname > objectGUID: 1f6563a7-0810-4496-937b-ce8344289ae2 > codePage: 0 > countryCode: 0 > primaryGroupID: 513 > objectSid: S-1-5-21-***-***-***-1392 > sAMAccountName: user1 > sAMAccountType: 805306368 > userPrincipalName: user1 at domain.company.local > objectCategory: > CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=company,DC=local > msDS-SupportedEncryptionTypes: 0 > distinguishedName: CN=User1 > Surname,OU=VAlameda,DC=domain,DC=company,DC=local > > [...] > > --- > > All users in this domain existed before migrating from Windows 2003. > I > have created a new user and it does not have those elements in LDAP.You have to add the rfc2307 attributes yourself, (how are you creating new users ?), but you should get the other two.> Some other users do have those elements in LDAP. All of them can log > in > to a Windows domain joined computer. > > > - In this scenario, should the exist for every user? (as they do in > other domains I have migrated/created)Possibly, but as I said you have to choose to add the rfc2307 attributes.> > - Should I create them?If you need RFC2307 attributes, then yes> How?samba-tool for the RFC2307 attributes, the other two should be created for you. Rowland
Initially, there was only a Windows 2003 Small Business Server DC. I don't have the full story, but as far as they remember the domain was created using this server at the time I joined Samba as an additional DC to the domain using Zentyal's web UI. I have checked the logs created when I joined the Samba DC and unfortuntely Zentyal does not dump neither each command or its output unless there is any error and the only relative output in the log is "Provision.pm:898 EBox::Samba::Provision::checkRfc2307 - Checking RFC2307 compliant schema..." and passes the check (please note: that log is unrelated to Samba itself but to Zentyal). Then, I joined another Zetyal server as an additional DC, moved all FSMO roles to dc-001 and depromoted the Windows 2003 SBS. Every other Samba domain that I have use Zentyal too and have RFC2037 extensions installed. Maybe in this case, that check didn't work as expected and the schema was not that compliant, but given that some users do have RFC2037 attibutes I don't really know what to think. The schema was upgraded to Windows 2003 level both domain and forest before migrating. After the migration, I upgraded to 2008R2 level (objectVersion: 47). The users created before the migration were created from Windows 2003 ADUC. The test users created after the migration are created using Windows 10's RSAT ADUC console. I don't know if the users had such attributes before the migration. I understand that I might be able to add attributes like uidNumber or gidNumber using something something as described at: https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_using_samba-tool_and_ldb-tools But how may I add other attributes like "userAccountControl"? New users do not have such attribute (among others). Many thanks in advance. -- =======================================SOLTECSIS SOLUCIONES TECNOLOGICAS, S.L. V?ctor Rodr?guez Cort?s Departamento de I+D+I Tel./Fax: 966 446 046 vrodriguez at soltecsis.com www.soltecsis.com =======================================--- La informaci?n contenida en este e-mail es confidencial, siendo para uso exclusivo del destinatario arriba mencionado. Le informamos que est? totalmente prohibida cualquier utilizaci?n, divulgaci?n, distribuci?n y/o reproducci?n de esta comunicaci?n sin autorizaci?n expresa en virtud de la legislaci?n vigente. Si ha recibido este mensaje por error, le rogamos nos lo notifique inmediatamente por la misma v?a y proceda a su eliminaci?n. ---