Web lists-archives.com

Re: [Samba] objectclass "posixAccount" missing on new created users




 I don't played much recntly with NetApp filers but as they are supposed to
work well with MS AD I expected you don't really needs posixAccount
objectClass.

So a google search leads me there:
https://kb.netapp.com/support/s/article/ka31A0000008hesQAA/how-to-configure-ldap-on-a-filer-to-connect-to-microsoft-s-active-directory-ldap-implementation?language=en_US

Perhaps it's not what you are looking for but there are these two options
described in that link which could be helpful:
ldap.nssmap.objectClass.posixAccount User
ldap.nssmap.objectClass.posixGroup Group

2017-08-17 10:50 GMT+02:00 Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>:

> On Thu, 17 Aug 2017 20:34:00 +1200
> Andrew Bartlett via samba <samba@xxxxxxxxxxxxxxx> wrote:
>
> > On Thu, 2017-08-17 at 09:08 +0100, Rowland Penny via samba wrote:
> > > On Thu, 17 Aug 2017 09:39:07 +0200
> > > gizmo via samba <samba@xxxxxxxxxxxxxxx> wrote:
> > >
> > > > Hello,
> > > > I made an upgrade from sernet-samba 4.3.11 to sernet-samba 4.6.7.
> > > > With samba 4.3.11 all created users contained the objectclass
> > > > "posixAccount". With samba 4.6.7 they don't.
> > > >
> > > > We have a NetApp-Storage-Server which exports nfs4-mounts (with
> > > > kerberos). Yesterday I wanted to change the owner of a directory
> > > > and "chown" threw an error "invalid argument". It was the new
> > > > created user which the NetApp didnt want to accept and caused
> > > > that error.
> > > >
> > > > So the NetApp accepts only users which derive from "posixAccount".
> > > >
> > > > The parameter "idmap_ldb:use rfc2307 = yes" is set in smb.conf.
> > > > "ldbsearch .. CN=ypservers,.." returns one record.
> > > >
> > > > With "ldbmodify add ..." I can add the objectclass "posixAccount",
> > > > but is this the right way ?
> > >
> > > No, definitely not, 'posixAccount' is an auxiliary objectclass of
> > > 'user' and as such never appears in AD. If your NetApp needs
> > > 'posixAccount when connecting to AD, then your NetApp is what is
> > > broken.
> >
> > Yes, sadly for you Rowland was successful in advancing the argument
> > that samba-tool should be no more helpful than ADUC when adding users
> > to the directory, so with more recent versions we no longer add
> > posixAccount as an auxillary class.
> >
> > You can of course add it by modifying the objectClass attribute, it is
> > a perfectly valid part of the AD schema, just not there by default.
>
> Yes Andrew, it is there, but NO windows tools add it and as we
> actively encourage the use of ADUC, we shouldn't encourage adding it.
>
> >
> > > >
> > > >
> > > >
> > > > 2 more informations about our enviroment:
> > > > - User-authentication on all linux-clients is based on sssd.
> > >
> > > I am going to stop there, sssd has nothing to do with Samba, go and
> > > ask on the sssd-users list, or use winbind instead (note: winbind
> > > can do everything sssd can do).
> >
> > What the clients use has no direct impact on what the member server
> > (the NetApp) does, but it is helpful to know as it impacts the chown.
> > I'm assuming you have a valid posix (via sssd) user here first, but
> > that the NetApp requires the user to be on the server, not just
> > respecting the raw UID?
>
> If you are referring to a user being in /etc/passwd on the NetApp and
> in AD, you know this is not allowed, a user can be in /etc/passwd or
> in AD, the user cannot be in both.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba