Hi:
I want to add rfc2307 attribute to machine account. I saw I can do
it via "samba-tool computer". but I want to try if there is a simpler
method, so I issue the command:
./samba-tool user addunixattrs 'machine$' 9999
and result:
You are setting a Unix/RFC2307 UID & GID. You may want to set
'idmap_ldb:use rfc2307 = Yes' in smb.conf to use the attributes for
XID/SID-mapping.
ERROR: Failed to modify user 'machine$': (21, "objectclass_attrs:
attribute 'gidnumber' on entry
'CN=MACHINE,OU=Workstation,OU=PC,DC=ad,DC=samdom,DC=com, contains at
least one invalid value!")
A transaction is still active in ldb context [0x56268385f090] on
tdb:///usr/local/samba/private/sam.ldb
I don't mind the command failed. but last line worried me. should I do
something to revert the ldb transaction or even restore my samba
backup?
is that message safe to ignore?
thanks a lot for help
Regards,
tbskyd
On Fri, 2023-02-24 at 15:56 +0800, d tbsky via samba wrote:> Hi: > I want to add rfc2307 attribute to machine account. I saw I can do > it via "samba-tool computer". but I want to try if there is a simpler > method, so I issue the command: > > ./samba-tool user addunixattrs 'machine$' 9999 > > and result: > > You are setting a Unix/RFC2307 UID & GID. You may want to set > 'idmap_ldb:use rfc2307 = Yes' in smb.conf to use the attributes for > XID/SID-mapping. > ERROR: Failed to modify user 'machine$': (21, "objectclass_attrs: > attribute 'gidnumber' on entry > 'CN=MACHINE,OU=Workstation,OU=PC,DC=ad,DC=samdom,DC=com, contains at > least one invalid value!") > A transaction is still active in ldb context [0x56268385f090] on > tdb:///usr/local/samba/private/sam.ldb > > I don't mind the command failed. but last line worried me. should I do > something to revert the ldb transaction or even restore my samba > backup? > is that message safe to ignore?What this means is that at the next open of that LDB for writes (if I recall correctly) the incomplete transaction will be removed from the journal, and no evidence of the failed command above will be present. It is a coding error on Samba's part not to cancel the transaction before returning from the tool, but not a dangerous one. Andrew Bartlett --? Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
On 24/02/2023 07:56, d tbsky via samba wrote:> Hi: > I want to add rfc2307 attribute to machine account. I saw I can do > it via "samba-tool computer". but I want to try if there is a simpler > method, so I issue the command: > > ./samba-tool user addunixattrs 'machine$' 9999 > > and result: > > You are setting a Unix/RFC2307 UID & GID. You may want to set > 'idmap_ldb:use rfc2307 = Yes' in smb.conf to use the attributes for > XID/SID-mapping. > ERROR: Failed to modify user 'machine$': (21, "objectclass_attrs: > attribute 'gidnumber' on entry > 'CN=MACHINE,OU=Workstation,OU=PC,DC=ad,DC=samdom,DC=com, contains at > least one invalid value!") > A transaction is still active in ldb context [0x56268385f090] on > tdb:///usr/local/samba/private/sam.ldb > > I don't mind the command failed. but last line worried me. should I do > something to revert the ldb transaction or even restore my samba > backup? > is that message safe to ignore? > > thanks a lot for help > > Regards, > tbskyd >As Andrew has said, you can ignore that error message, but the reason it is happening is interesting. The code was written from the point of view of adding rfc2307 attributes to a user, not a computer, hence it uses the gidNumber from Domain Users if '--gid-number=GID_NUMBER' is not supplied. Domain Users is the normal primary group for AD users, but the primary group for computers is Domain Computers, so that is one problem. However, I think the reason why it threw an error is simple, I do not think that Domain Users has a gidNumber attribute, though the code should have told you this, but apparently it doesn't. Rowland