Also See bug 302310. objectclass posixGroup has to be structural like nis.schema & the rfc says right? I think everyone agrees the final RFC got it right and the gentoo schema file is wrong even though it follows: https://tools.ietf.org/html/draft-howard-rfc2307bis-02 Why is this old one included? I chose it because I wanted automount support. Here's how it breaks samba. https://wiki.samba.org/index.php/Ldapsam_Editposix wont work when you get up to net sam provision When you turn up debugging from net you get Failed to add dn: cn=domusers,ou=group,dc=victimsofgaybullying,dc=com, error: 65 (Object class violation) (no structural object class provided) See the source: https://github.com/samba-team/samba/blob/master/source3/utils/net_sam.c The rfc2307bis is a gentoo distributed file that is dated 2014?? https://gitweb.gentoo.org/repo/gentoo.git/tree/net-nds/openldap/openldap-2.4.45.ebuild?id=d8579d0f043e8eefe774b8aec6a21316e0a6c527 Here's how I fixed it with ldapmodify. dn: cn={6}rfc2307bis,cn=schema,cn=config changetype: modify delete: olcObjectClasses olcObjectClasses: {2} ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' SUP top AUXILIARY DESC 'Abstraction of a group of accounts' MUST gidNumber MAY ( userPassword $ memberUid $ description ) ) dn: cn={6}rfc2307bis,cn=schema,cn=config changetype: modify add: olcObjectClasses olcObjectClasses: {2}( 1.3.6.1.1.1.2.2 NAME 'posixGroup' DESC 'Abstraction of a group of accounts' SUP top STRUCTURAL MUST ( cn $ gidNumber ) MAY ( userPassword $ memberUid $ description ) ) The RFC for 2307 says this: https://www.ietf.org/rfc/rfc2307.txt ( nisSchema.2.2 NAME 'posixGroup' SUP top STRUCTURAL DESC 'Abstraction of a group of accounts' MUST ( cn $ gidNumber ) MAY ( userPassword $ memberUid $ description ) )
It looks like this bug has to be redirected away from LDAP to the samba team.... from #openldap <hojuruku> lwlvl, here's my gentoo bug, you have a schema problem at a guess something is AUX when your app expects it to not be (error #65) <hojuruku> https://bugs.gentoo.org/show_bug.cgi?id=624036 lwlvl that should help you alot <BtbN> weird, the sn is clearly there <hojuruku> BtbN, I'm using SSHA512, the pw-sha2 / pw-pbdf password modules are ok? <BtbN> not for me <BtbN> They probably still "work", as openldap itself happens to be linked against the same libs. But it's pure luck <hojuruku> yay I just tested ppolicy lockout policy and it's working :) but the ppolicy.schema hides the attributes from all users including the Root DN with the NO USER option in the schema. <BtbN> hojuruku, also, with 2307bis, posixGroup being auxilliary is the whole point. <BtbN> so you can have a groupOfNames with a gid <hojuruku> hyc, BtbN OlCPasswordHash with MORE than one option doesn't take one password in cleartext and make 3 hashes. It makes the LAST hash in the list only i noticed. <BtbN> I'm using that exact schema and it works great <hojuruku> so i've broken groupOfNames? <BtbN> groupOfNames is structual, and 2307bis makes posixGroup auxilliary, so you can add it there <hojuruku> i thought structural was just a check like this, one object class has to be structual to make a new object. <BtbN> an object can only have one chain of structual classes <hojuruku> BtbN, yeah but samba only does that if you say your are running IPA <hojuruku> maybe it's a samba bug after all <BtbN> so if you are using rfc2307bis instead of nis, that's what I'd expect <BtbN> the rfc you linked also shows the posixGroup class as auxiliary (TRUE) <hojuruku> samba only uses groupofNames and some other stuff if you use a different name for your passwrd-db connector that isn't documented in the manuals - the ipa flavor. <BtbN> The whole 2307bis thing is kinda deprecated, but due to lack of alternatives still exists <BtbN> samba seems to assume the non-bis schema <BtbN> Not a bug anywhere, you are just using an incompatible schema for samba <hojuruku> https://github.com/samba-team/samba/blob/master/source3/utils/net_sam.c - it's using groupofNames only for IPA server in Samba They need to document their ipa connector and make it rfc2307bis compatible as well.
P.S. I've ran away from using rfc2307bis, going back to NIS.schema. Thought I'd be able to use the GroupOfNames feature with padl.com pam/nss, but it was just too much suffering. My hack broke groupofNames You can bounce this to samba, to make samba check the subschema for rfc2307bis or allow it to be configured in smb conf Previously such support for rfc2307bis used to exist. https://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#sbewinbindex
thanks for bouncing it on. If you see the samba source, redhat ipa already has support for groupOfNames, and the samba ldap passdb plugin has also been given an alias to behave differently when connecting to redhat ipa (that has groupOfNames support unlike the stardard samba3 module). extending the ldap passwdb functionality so samba can support rfc2307bis schema could be done in the same way it was done for ipa, or samba could read the subschema. I wash my hands of this matter. My site is too small to care abou this feature in any great way now.
