Initially, there was only a Windows 2003 Small Business Server DC. I don't have the full story, but as far as they remember the domain was created using this server at the time I joined Samba as an additional DC to the domain using Zentyal's web UI. I have checked the logs created when I joined the Samba DC and unfortuntely Zentyal does not dump neither each command or its output unless there is any error and the only relative output in the log is "Provision.pm:898 EBox::Samba::Provision::checkRfc2307 - Checking RFC2307 compliant schema..." and passes the check (please note: that log is unrelated to Samba itself but to Zentyal). Then, I joined another Zetyal server as an additional DC, moved all FSMO roles to dc-001 and depromoted the Windows 2003 SBS. Every other Samba domain that I have use Zentyal too and have RFC2037 extensions installed. Maybe in this case, that check didn't work as expected and the schema was not that compliant, but given that some users do have RFC2037 attibutes I don't really know what to think. The schema was upgraded to Windows 2003 level both domain and forest before migrating. After the migration, I upgraded to 2008R2 level (objectVersion: 47). The users created before the migration were created from Windows 2003 ADUC. The test users created after the migration are created using Windows 10's RSAT ADUC console. I don't know if the users had such attributes before the migration. I understand that I might be able to add attributes like uidNumber or gidNumber using something something as described at: https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_using_samba-tool_and_ldb-tools But how may I add other attributes like "userAccountControl"? New users do not have such attribute (among others). Many thanks in advance. -- =======================================SOLTECSIS SOLUCIONES TECNOLOGICAS, S.L. V?ctor Rodr?guez Cort?s Departamento de I+D+I Tel./Fax: 966 446 046 vrodriguez at soltecsis.com www.soltecsis.com =======================================--- La informaci?n contenida en este e-mail es confidencial, siendo para uso exclusivo del destinatario arriba mencionado. Le informamos que est? totalmente prohibida cualquier utilizaci?n, divulgaci?n, distribuci?n y/o reproducci?n de esta comunicaci?n sin autorizaci?n expresa en virtud de la legislaci?n vigente. Si ha recibido este mensaje por error, le rogamos nos lo notifique inmediatamente por la misma v?a y proceda a su eliminaci?n. ---
On Mon, 2021-11-29 at 19:01 +0100, Victor Rodriguez via samba wrote:> Initially, there was only a Windows 2003 Small Business Server DC. I > don't have the full story, but as far as they remember the domain was > created using this server at the time > > I joined Samba as an additional DC to the domain using Zentyal's web > UI. > I have checked the logs created when I joined the Samba DC and > unfortuntely Zentyal does not dump neither each command or its output > unless there is any error and the only relative output in the log is > "Provision.pm:898 EBox::Samba::Provision::checkRfc2307 - Checking > RFC2307 compliant schema..." and passes the check (please note: that > log > is unrelated to Samba itself but to Zentyal). Then, I joined another > Zetyal server as an additional DC, moved all FSMO roles to dc-001 and > depromoted the Windows 2003 SBS.Do you still have the 2003 SBS ?> > Every other Samba domain that I have use Zentyal too and have RFC2037 > extensions installed. Maybe in this case, that check didn't work as > expected and the schema was not that compliant, but given that some > users do have RFC2037 attibutes I don't really know what to think.I would be more worried about the DNS, was it 2003R2 compliant ?> > The schema was upgraded to Windows 2003 level both domain and forest > before migrating. After the migration, I upgraded to 2008R2 level > (objectVersion: 47).Samba now use version 69 (2012R2)> > The users created before the migration were created from Windows 2003 > ADUC.But did it have IDMU installed ?> The test users created after the migration are created using > Windows 10's RSAT ADUC console.That knows nothing about Unix> I don't know if the users had such > attributes before the migration.If they weren't there before the upgrade, they wouldn't be there after.> > I understand that I might be able to add attributes like uidNumber or > gidNumber using something something as described at: > > https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_using_samba-tool_and_ldb-toolsProbably easier to add them with samba-tool, see: samba-tool user addunixattrs --help for more details> > But how may I add other attributes like "userAccountControl"? New > users > do not have such attribute (among others).This is extremely strange, your new users should have these by default. Can I suggest you try adding a user with samba-tool and see what the result is. If you are using the zentyal GUI, there could be a bug in that method, but this is unlikely. Rowland
Hello, At last I've been able to retake this issue. I have restored the 2003 SBS server in an independent network and done some investigation: - adsiedit.msc shows all attributes for all users, including userAccountControl and pwdLastSet as expected. Also many have set also uidNumber and gidNumber, which is ok. - Still, ldbsearch does not show all attributes for some users when used via LDAP like this: ldbsearch -H ldap://dc1.domain.com -b "DC=domain,DC=com" -P -s sub "(sAMAccountName=USERNAME)" - BUT, ldbsearch does show all attributes for all users (as adsiedit.msc does) when not using LDAP but the SAM file like this: ldbsearch -H /var/lib/samba/private/sam.ldb -b "DC=domain,DC=com" -P -s sub "(sAMAccountName=USERNAME)" So the attributes are there and Samba did replicate them from the old Windows2003 SBS when I migrated the domain, but somehow ldapsearch is not able to show or find them when using LDAP. What could cause this behavior of ldbsearch? Thank you. On 11/29/21 7:23 PM, Rowland Penny via samba wrote:> On Mon, 2021-11-29 at 19:01 +0100, Victor Rodriguez via samba wrote: >> Initially, there was only a Windows 2003 Small Business Server DC. I >> don't have the full story, but as far as they remember the domain was >> created using this server at the time >> >> I joined Samba as an additional DC to the domain using Zentyal's web >> UI. >> I have checked the logs created when I joined the Samba DC and >> unfortuntely Zentyal does not dump neither each command or its output >> unless there is any error and the only relative output in the log is >> "Provision.pm:898 EBox::Samba::Provision::checkRfc2307 - Checking >> RFC2307 compliant schema..." and passes the check (please note: that >> log >> is unrelated to Samba itself but to Zentyal). Then, I joined another >> Zetyal server as an additional DC, moved all FSMO roles to dc-001 and >> depromoted the Windows 2003 SBS. > Do you still have the 2003 SBS ? > >> Every other Samba domain that I have use Zentyal too and have RFC2037 >> extensions installed. Maybe in this case, that check didn't work as >> expected and the schema was not that compliant, but given that some >> users do have RFC2037 attibutes I don't really know what to think. > I would be more worried about the DNS, was it 2003R2 compliant ? > >> The schema was upgraded to Windows 2003 level both domain and forest >> before migrating. After the migration, I upgraded to 2008R2 level >> (objectVersion: 47). > Samba now use version 69 (2012R2) > >> The users created before the migration were created from Windows 2003 >> ADUC. > But did it have IDMU installed ? > >> The test users created after the migration are created using >> Windows 10's RSAT ADUC console. > That knows nothing about Unix > >> I don't know if the users had such >> attributes before the migration. > If they weren't there before the upgrade, they wouldn't be there after. > >> I understand that I might be able to add attributes like uidNumber or >> gidNumber using something something as described at: >> >> https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_using_samba-tool_and_ldb-tools > Probably easier to add them with samba-tool, see: > > samba-tool user addunixattrs --help > > for more details > >> But how may I add other attributes like "userAccountControl"? New >> users >> do not have such attribute (among others). > This is extremely strange, your new users should have these by default. > Can I suggest you try adding a user with samba-tool and see what the > result is. If you are using the zentyal GUI, there could be a bug in > that method, but this is unlikely. > > Rowland > > >-- =======================================SOLTECSIS SOLUCIONES TECNOLOGICAS, S.L. V?ctor Rodr?guez Cort?s Departamento de I+D+I Tel./Fax: 966 446 046 vrodriguez at soltecsis.com www.soltecsis.com =======================================--- La informaci?n contenida en este e-mail es confidencial, siendo para uso exclusivo del destinatario arriba mencionado. Le informamos que est? totalmente prohibida cualquier utilizaci?n, divulgaci?n, distribuci?n y/o reproducci?n de esta comunicaci?n sin autorizaci?n expresa en virtud de la legislaci?n vigente. Si ha recibido este mensaje por error, le rogamos nos lo notifique inmediatamente por la misma v?a y proceda a su eliminaci?n. ---