Difference between revisions of "Samba4 Development"

From SME Server
Jump to navigationJump to search
 
(90 intermediate revisions by 3 users not shown)
Line 6: Line 6:
 
This wiki page will be used to track the integration effort of Samba 4 into SME 9+
 
This wiki page will be used to track the integration effort of Samba 4 into SME 9+
  
{{Note_box|msg=At this point, I'm just going to randomly ramble on this wiki page as I work on Samba 4.  Once I get some workable pieces, I'll go back and format this page so that it makes more sense. - [[User:Gzartman|Gzartman]]}}
+
Lead developer: [[User:Gzartman|Gzartman]]
  
=Samba 4 Packages=
+
=Overview and Objectives=
  
Upstream Centos 6 & 7 do not provide support for the full version of Samba 4.  Packages available in the upstream repos are a crippled version of Samba 4, with many of the features associates with Active Directory disabledThe reason for this is detailed [https://blog.cryptomilk.org/2014/07/09/samba-ad-dc-in-fedora-and-rhel/ here]. A solution to provide Samba 4 active directory does not look to be forthcoming by viewing Samba status in the Fedora project.
+
The primary objective of this effort is to create Active Directory support on SME 9+ with a focus on simplicity and easy integration, as is done on many of the other sub-systems on SME Server.  Other distributions with Samba 4 support take the approach of providing a fairly complex front end to Samba 4 with many configuration parameters and options.  Our approach for Samba 4 is to stream line implementation to provide a straight forward and simple set of UI parameters for the administrator to deploy Active Directory in a configuration that will work in most deploymentsSupport for the full array of Samba 4 options is provided under the hood in SME Server, but will be available primary from the console.   The SME Server community may decide to create an Advanced Samba server-manager panel to control and configure some of the more advanced features available in Samba 4, but the Core SME Server deployment of Active Directory will remain focused on simplicity.  
  
To further development of support for Samba 4 on the Koozali SME Server, Samba 4 packages from Sernet were selected.  These packages will not immediately install cleaning on SME 9 due to the customization of Centos associated with SME 9, so the Sernet packages where re-built for SME 9. Details of this rebuild along with a link to the rebuilt packages are located in [[bugzilla:8075]]
+
Deployment of Samba 4 on SME Server means that many of the authentication mechanisms on SME Server need to change to integrate with Active Directory, therefore this development effort is quite far reaching.
  
After rebuilding, these packages do install cleanly but the services will not start using the init.d scripts provided with the packaged due to changes made during the re-build of the packages for SME 9.  A Daemontools run script will need to be developed to start the Samba 4 service.
+
Samba 4 on SME Server is targeted for Koozali SME Server 10
  
=General Development Notes=
+
=Current Status=
==Template Fragments==
 
  
===/etc/smb.conf===
+
'''Current Release:'''  Alpha 7
Complete rewrite of all template fragments
 
  
====smb.conf Considerations====
+
Samba 4 on SME Server will be provided by way of the package smeserver-samba, which will upgrade and obsolete e-smith-samba. The current release of Samba 4 on SME Server is available here:  [http://www.leiengineering.com/repository/smeserver/Packages/Samba4_Alpha7/ SME Server Samba 4 Packages]
  
The smb.conf configuration file can be simplified significantly for Samba 4. Of specific interest are the following new parameters:
+
These packages are currently not provided by the Koozali buildsys because there is still a fair bit of work to do to integrate this code with existing SME services. Since Samba 4 on SME Server includes many other sub-systems, inclusion of the Samba 4 code is not being including in current development streams until the code is closer to release so as not to hold up other development activities.   However, this code is available in CVS.
 +
<br>
  
 +
=Samba 4 Packages=
  
'''Server Services:''' This parameter is not very well documented, but from what I could find thefollow services can be provided by the Samba daemon: s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, ntp_signd, kcc, dnsupdate, dns, smb, nmb, winbindThe default for this parameter is: server services = s3fs rpc nbt wrepl ldap cldap kdc drepl winbind ntp_signd kcc dnsupdate dns. Services can be added/remove from the default by a +/- and the service to add/remove. Example
+
Upstream Centos 6 and 7 do not provide Samba 4 packages with full Active Directory support.  This is because Samba 4 Kerberos is based upon Heimdal Kerberos whereas the upstream vendor uses MIT Kerberos.  Heimdal Kerberos and MIT Kerberos are not compatible with one another and so the upstream vendor has decided to disable Kerberos support in Samba until such time as Samba supports MIT KerberosDetails can be found here  https://wiki.samba.org/index.php/MIT_Build
server services = -s3fs (remove) +smb (add).  Note that the smb, nmb, and windbind services are services equivalent to the older, Samba 3, type services (stand alone daemons). Of specific interest to SME 9 may be the use of the nmb service for WINS support. As we begin testing we may need to enable this service and possibly smb for simple share access.
+
and here https://blog.cryptomilk.org/2014/07/09/samba-ad-dc-in-fedora-and-rhel/
  
'''Server Role:''' Samba 4 currently only supports the active directory domain controller server roleFor now, we'll force Samba config into DC server role, but provide a fragment for expansion later.  There is a long explanation behind this, but for now, restriction doesn't hurt us.  SME as a DC will provide auth for both domain membership and simple shares by either joining the domain or logging into the server every time.
+
To provide Active Directory support, the Koozali devteam has decided to fork the upstream Samba 4 package and re-compile with Heimdal Kerberos support on Koozali SME Server 10. Details of this rebuild are located in [[bugzilla:9751]].  Support for Active Directory on SME 9 can be provided by Sernet Samba 4.2 packages, which are the last set of open source Sernet packagesHowever, the devteam is currently focusing development effort on SME 10.
  
===/etc/raddb/radius.conf===
+
=Installation=
Need to check and/or modify the following existing fragments:
 
  
etc/raddb/radiusd.conf/25modules30smbpasswd:    #  An example configuration for using /etc/samba/smbpasswd.
+
RPMs for this release can be found here[https://www.leiengineering.com/repository/smeserver/Packages/Samba4_Alpha7/ SME Server Samba 4 Packages]
etc/raddb/radiusd.conf/25modules30smbpasswd:}  passwd smbpasswd \{
 
  etc/raddb/radiusd.conf/25modules30smbpasswd:           filename = /etc/samba/smbpasswd
 
etc/raddb/radiusd.conf/25modules25mschap:              #  reading from /etc/smbpasswd.
 
etc/raddb/radiusd.conf/25modules25mschap:              #  If you are using /etc/smbpasswd, see the 'passwd'
 
etc/raddb/radiusd.conf/25modules25mschap:              #  module for an example of how to use /etc/smbpasswd
 
etc/raddb/radiusd.conf/65authorization40default:        #  If you are using /etc/smbpasswd, and are also doing
 
etc/raddb/radiusd.conf/65authorization40default:        #  configure the 'smbpasswd' module, above.
 
etc/raddb/radiusd.conf/65authorization40default:        ( $ldap{Authentication} || 'disabled' ) eq 'enabled' ? 'ldap' : 'smbpasswd';
 
  
===/etc/krb5.conf===
+
Install Instructions:
Create based new template fragments for this configuration file
 
  
==Configuration Database Parameters==
+
# Download all rpms to a fresh SME 9.1 install. 
 +
# yum localinstall *.rpm
 +
# signal-event post-upgrade; signal-event reboot
 +
# Once the server comes back up, provision the domain with:  signal-event provision-domain-controller admin_password
  
'''SMBD''' : Delete
+
Note: The password utilities in the server-manager are not yet working.  We will be working to include SSSD in the next alpha and then all password utilities and functions will work as expected.
  
'''NMBD''' : Delete
+
=Change Log / Release Notes=
 +
==Alpha 7==
 +
* Implementation of Samba 4 on SME 10.
 +
* Drop bootstrap-console patch for e-smith-base for provisioning samba 4 from the console.  We'll add this back in later
  
'''SMB''' : In general, all of the template fragments will be redesigned to allow dbase parameters to override many Samba defaults. Specific parameters that need to be defined or modified are as follows:
+
==Alpha 6==
 +
* Final alpha on SME 9.  Going forward, this code will be moved to the SME 10 alpha release for ongoing development and testing
 +
* Change the way we are naming alpha package versions because it is becoming difficult to apply alpha level changes with patch files.  Each alpha release will have its own source archive.  Source archive (.tar.xz) file version numbers will track with the alpha release number.
 +
* Rewrite server-manager user accounts panel for AD integration, except for the Reset Password link.  We won't be able to update this function until we deploy SSSD, which will come in the next release
 +
* Move smb.conf and AD schema extension fragments to /etc/samba
 +
* Extend AD schema to include the attributes: lockable, removable, and emailForward
 +
* Change the koozliUser objectClass to smeExtended for extended schema attributes
 +
* Get rid of the user-create-AD action because we don't have enough control over the user create process in a server-manager panel using an action.  Instead, we added the esmith::util::createADUser() function that sets up a basic Active Directory user.  This function is somewhat analogous to the useradd utility
 +
* Drop "Legacy Mode," which was part of the user-create-AD action
 +
* Replace user-create event with user-initialize
 +
* Add user-create-profiledir and user-create-home actions as part of the user-intialize event, since the useradd utility used to do this
 +
* Update user-modify, user-delete, user-lock events for AD integration
 +
* Create user-AD-enable and user-AD-disable actions
 +
* Extensive clean-up of smb.conf fragments now that we have a working Samba 4 deployment, including default configuration dbase parameters.  This clean-up and enhancement results in a very clean smb.conf file
 +
* Update qmail and .qmail template fragments and configuration to pull user data from the Active Directory.   Spam and filtering fragments have been excluded because we have not yet decided how to handle these configuration in the Active Directory
 +
* Further enhancement and refinement to esmith::AD
  
*'''''Remove from current default'''''
+
==Alpha 5==
**''UnixCharSet'': Delete
+
* Extend Active Directory schema to include quota and smeCustom attributes via the koozaliUser objectClass
 +
* Remove adjust-samba event and use services2adjust
 +
* Add Group-create-AD action
 +
* Design changes to provision-domain-controller and bootstrap-provision-dc events to provision samba entirely cold using ldif
 +
* Add pseudonym support to esmith::AD
 +
* Further enhancement to esmith::AD to provide user & group management functionality similar to that provided by AccountsDB
 +
* Re-write createlinks to flow a more logical sequence
 +
* Fix dnsforwarder in smb.conf
 +
* Fix several esmith::AD::User and esmith::AD::Group methods broken in 0.1-0-3 when we added runtime binding
  
*'''''Default'''''
+
==Alpha 4==
**''Workgroup'': Defaulted to sme-server
+
* Add dnscache and tinydns config per bug [SME: 9711]
**''ServerString'': Defaulted to SME Server
+
* Add iptables preroute rule for DNS per bug [SME: 9711]
**''ServerRole'':  Redefine with the following:
+
* Fix issues with domain admins assignment during provisioning
***SA: Stand Alone Server Mode
+
* Nearly full re-write of user-create-AD action to utilize esmith::AD class
***BD: Backup Domain Controller/Member
+
* Add Legacy Mode to user-create-AD action to allow this action to work with AccountsDB
***DC:  Domain Controller (Current default. See server role explanation)
+
* Add user-create-AD to user-create event
**''OpLocks'': Defaulted to enabled
+
* Add user-AD-disable action to disable AD user
**''KernelOplocks'':  Add and default to enabled
+
* Continued development and enhancement to esmith::AD including POD documentation
**''Level2Oplocks'':  Add and default to enabled
+
* Continued development and enhancement to esmith::AD::User including POD documentation
**''AllowDNSUpdates'': nonsecure
+
* Add esmith::AD::OU to manage Organizational Units in the Active Directory
**''DNSForwarder'': New parameter that could be defined to forward DNS requests from the Samba DNS to another DNS.
+
* Fix realm definition in provision action
  
*'''''Others (optional)''''': These parameters are meant to take smb.conf inputs as defined the man pages.  Defaults for these parameters are the same as the corresponding defaults in the smb.conf man page.  Template fragments feed these parameters into the smb.conf file with minimal syntax checking, as it is assumed those who manually input them know what they are doing.
+
==Alpha 3==
**''NameResolveOrder'':  The order in which name resolution will take place by the Samba daemon. 
+
* Reconfigure provision event to account for default Samba complex password policy
**''ServerServices'':  See the server services discussion detailed under smb.conf section
+
* Abstract core LDAP queries in esmith::AD using runtime binding
**''SMBPorts'':
 
**''SocketOptions'':
 
**''WideLinks'':
 
**''GuestAccount'':
 
**''GuestOK'': y/n
 
**''LogonDrive'': Drive letter to be used to the login drive when users login to a domain
 
**''RoamingProfiles'':  y/n
 
**''LogonPath'':
 
**''BindInterfacesOnly'':  y/n
 
**''CaseSensitive'': y/n
 
**''MaxLogSize'': Samba log size in kilobytes.  Default set to 50.
 
  
'''KRB5''' : Create new configuration dbase entry for Kerberos service in Samba
+
==Alpha 2==
*''default_realm'':  This parameter is built into a template fragment, but we will not define it at default. The template fragment will build the default realm by concatenating the SystemName and DomainName reordered elsewhere in the configuration dbase.
+
* Set requires to e-smith-base-5.6.0-30+ [SME:8668]
*''dns_lookup_realm'' = false;
+
* Set requires for e-smith-LPRng-2.5.0+ [SME:8632]
*''dns_lookup_kdc'' = true;
 
  
==Services to Modify==
+
==Alpha 1==
 +
* Roll new smeserver alpha package for Samba4 [SME:8075]
 +
<br>
  
'''smbd''' : Remove
+
=Bugzilla references=
* Remove /var/service/smbd
 
* Remove /services/smbd
 
* Remove /etc/rc.d/init.d/supervise/smb
 
* REmove /etc/rc.d/rc7.d/S91smb
 
* Remove /etc/rc.d/init.d/smbd
 
  
'''nmbd''' : Remove
+
'''[[bugzilla:4667]]''' <br>
* Remove /var/service/smbd
+
'''[[bugzilla:8075]]''' Adding Samba 4<br>
* Remove /services/smbd
+
'''[[bugzilla:8632]]''' Remove smb.conf template fragments from e-smith-LPRng-2.4.0-1<br>
* Remove /etc/rc.d/init.d/smbd
+
'''[[bugzilla:8638]]''' Modify e-smith-dnscache for Samba 4 support<br>
+
'''[[bugzilla:8660]]''' User account authentication with Active Directory and AccountsDB<br>
'''smb''': Create  (Note: I would have liked to have called this "Samba," but that would have meant changing alot of existing code that looks for "smb"
+
'''[[bugzilla:8663]]''' Proftpd and active directory authentication (Samba 4)<br>
* Create /var/service/smb, using smbd as a template.  Samba 4 should be started with /usr/sbin/samba -D
+
'''[[bugzilla:8665]]''' esmith::AD perl module for interacting with Active Directory<br>
* Create symlink /service/smb -> /var/service/smb
+
'''[[bugzilla:8668]]''' Get rid of PPTP when we upgrade to Samba 4<br>
* Create symlink /etc/rc.d/init.d/smb -> /etc/rc.d/init.d/daemontools
+
'''[[bugzilla:8670]]''' Qmail updates for Samba 4<br>
* Create symlink /etc/rc.d/rc7.d/S91smb -> /etc/rc.d/init.d/e-smith-service
+
'''[[bugzilla:8674]]''' Remove smbpasswd and WINS pieces for Samba 4<br>
 +
'''[[bugzilla:8675]]''' e-smith-LDAP + Samba 4<br>
 +
'''[[bugzilla:8687]]''' Add SSSD daemon for Samba 4 local authentication<br>
 +
'''[[bugzilla:8703]]''' Samba 4: Home directory<br>
 +
'''[[bugzilla:9651]]''' Remove Samba Parts from esmith::Util for Samba 4 <br>
 +
'''[[bugzilla:9653]]''' Pseudonyms handling with Active Directory<br>
 +
'''[[bugzilla:9662]]''' System Initialization and Re-Configuration with Active Directory<br>
 +
'''[[bugzilla:9700]]''' Consider removing /sbin/e-smith/samba_check_password <br>
 +
'''[[bugzilla:9708]]''' Evaluate registry fragments in server-resources for Samba 4<br>
 +
'''[[bugzilla:9711]]''' Include dnscache and tinydns config in smeserver-samba for Samba 4 DNS queries<br>
 +
'''[[bugzilla:9712]]''' Reconfigure shadowcopy for Samba 4<br>
 +
'''[[bugzilla:9713]]''' Reconfigure recycle bin for Samba 4<br>
 +
'''[[bugzilla:9715]]''' Modify e-smith-dnscache to allow connections from entire loopback network<br>
 +
'''[[bugzilla:9755]]''' Re-Write Users Panel for AD integration<br>
 +
'''[[bugzilla:9799]]''' Update esmith::util::chown for Samba users<br>
 +
'''[[bugzilla:9800]]''' Update e-smith-quota to process quotas for active directory users<br>
 +
'''[[bugzilla:9802]]''' Modify user events/actions and server-manager panel<br>
 +
'''[[bugzilla:9804]]''' Update password functions in esmith::util for Samba 4<br>
 +
'''[[bugzilla:9806]]''' e-smith-openssh modifications for Samba 4<br>
 +
'''[[bugzilla:9807]]''' smeserver-qpsmtpd changes for Samba 4<br>
 +
<br>
  
==DNS==
+
=Active Directory Schema=
 
+
Following is a direct dump of the active directory from a freshly provisioned SME Server domain. The DNS/Kerberos domain is domain.com, the hostname is virgin, and the windows domain is sme-server.  The ipaddress for this test machine is 192.168.0.67These data is quite long, but I found it very useful; as it is extremely difficult to find these attributes in any documentation about Samba 4 and ADDC:
Samba 4 includes an builtin DNS server that is required for proper operation of active directory. This internal DNS server is for AD functions only and does not provide caching DNS functions.  
 
 
 
SME Server 9.0 includes a caching DNS (djb dnscache) that listens for DNS requests on the LAN IP address and the localhost.  This caching DNS then routes DNS requests for domains defined in the server-manager to tinyDNS and other requests to a resolving dns cache (djb dnscache.forwarder).   
 
 
 
One approach for DNS architecture with Samba 4 would have samba 4 primary dns requests to LAN clients, forwarding to the dnscache.forwarder service. The primary dnscache instance and tinydns would then be obsoleted.
 
 
 
==LDAP==
 
 
 
Need to look at the LDAP authentication backend and mechanism on SMEOn the surface, it looks like all of the Samba related LDAP code will be dropped and much of the standard authentication code will need to be converted to Active Directory auth.  This task should include looking at openldap-proxy.
 
 
 
==Local and Samba Authenticaion==
 
#'''Local Authentication''':  Samba 4 provides support for local authentication through PAM.  This will need to be looked and and sorted out, especially as it relates to the previous LDAP authentication work.
 
#'''Updates to esmith::util perl module''':  This perl module contains function for setting and modifying user passwords.  We will need to redesign these functions to integrate with AD.  Specific changes:
 
#*''setSambaPassword function'':  This function needs to be completely re-written to set the Active directory password instead of the old samba password in smbpasswd
 
#*''cancelSambaPassword function'':  Needs to be re-written for active directory instead of old smbpasswd file
 
#*''local password functions'':  We need to look at these once we decide how we are going to handle local authentication on SME with Active directory.
 
#*''ldapPassword function'': Need to look at this and likely deprecate it, as we will likely set active directory passwords differently.
 
  
==Other Development Tasks to Research and Complete==
+
[http://wiki.contribs.org/SAMBA_4_Active_Directory_Schema Samba 4 Active Directory Schema]
#'''Domain Server-Manager Panel''': A new Domain server-manager panel should be developed and the workgroup panel removed. Further discussion will need to take place to determine what needs to go into this new panel.  This panel will likely be fairly simple, as much of the configuration parameters associated Samba Active directory will be incorporated into template fragments and database entries.
 
#'''User/Group Server-Manager Panels''':  These panels will need to be looked at as they relate to template fragments, adjusting services, and updating database entries associated with Samba.
 
#'''Ibay Server-Manager Panel''':  This panel will need to be looked at as it relates to template fragments, adjusting services, and updating database entries associated with Samba.
 
#'''Events/Actions'''':  Existing events and actions related to samba will need to be reviewed and updated accordingly.  A new event/action may need to be developed to provision a new Active Directory Domain using the Samba-Tool utility.
 
#'''e-smith-samba''':  This package needs to be updated with development pieces detailed in this wiki page, for wider testing and development assistance.
 
  
=Status=
+
=[http://wiki.contribs.org/SAMBA_4_-_Misc_Development_Topics Misc Development Topics]=
  
{| class="wikitable"
 
|-
 
|#
 
! Task !! Status
 
|-
 
|1.
 
| Sernet Samba 4 package rebuild || style="text-align:center;" | <span style="color:green">'''DONE'''</span>
 
|-
 
|2.
 
| Create daemontools service for Samba 4 || style="text-align:center;" |<span style="color:green">'''DONE'''</span>
 
|-
 
|3.
 
| Re-Write smb.conf template fragments || style="text-align:center;" |<span style="color:green">'''DONE'''</span>
 
|-
 
|4.
 
| Create Kerberos template fragments || style="text-align:center;" |<span style="color:green">'''DONE'''</span>
 
|-
 
|5.
 
| Add/Modify SMB database entries || style="text-align:center;" |<span style="color:green">'''DONE'''</span>
 
|-
 
|6.
 
| Create krb5 configuration dbase key || style="text-align:center;" |<span style="color:green">'''DONE'''</span>
 
|-
 
|7.
 
| Re-configure init.d start-up/shutdown scripts || style="text-align:center;" |<span style="color:green">'''DONE'''</span>
 
|-
 
|8.
 
| Configure Samba DNS Service || style="text-align:center;" |<span style="color:green">'''DONE'''</span>
 
|-
 
|9.
 
| Configure DNS Cache Resolver || style="text-align:center;" |<span style="color:green">'''DONE'''</span>
 
|-
 
|10.
 
| Create Active Directory Provision/Re-Provision SME Event || style="text-align:center;" |<span style="color:green">'''DONE'''</span>
 
|-
 
|11.
 
| Add Active Directory Provisioning to Bootstrap-Console || style="text-align:center;" |<span style="color:green">'''DONE'''</span>
 
|-
 
|12.
 
| Reconfigure SME User Authentication for Active Directory|| style="text-align:center;" |<span style="color:orange">'''UNDERWAY'''</span>
 
|}
 
  
 
=References=
 
=References=
Line 190: Line 151:
 
# http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controller
 
# http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controller
  
=Active Directory Schema=
 
Following is a direct dump of the active directory schema from a freshly provisioned SME Server domain.  The DNS/Kerberos domain is domain.com, the hostname is virgin, and the windows domain is sme-server.  The ipaddress for this test machine is 192.168.0.67.  These data is quite long, but I found it very useful; as it is extremely difficult to find these attributes in any documentation about Samba 4 and ADDC:
 
 
# record 1
 
dn: CN=IIS_IUSRS,CN=Builtin,DC=domain,DC=com
 
 
# record 2
 
dn: CN=ipsecNegotiationPolicy{59319BF0-5EE3-11D2-ACE8-0060B0ECCA17},CN=IP Security,CN=System,DC=domain,DC=com
 
 
# record 3
 
dn: CN=ipsecPolicy{72385230-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=domain,DC=com
 
 
# record 4
 
dn: CN=10b3ad2a-6883-4fa7-90fc-6377cbdc1b26,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 5
 
dn: CN=byaddr,CN=ethers,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 6
 
dn: CN=bynumber,CN=rpc,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 7
 
dn: CN=a3dac986-80e7-4e59-a059-54cb1ab43cb9,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 8
 
dn: CN=f58300d1-b71a-4DB6-88a1-a8b9538beaca,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 9
 
dn: CN=ipsecNFA{6A1F5C6F-72B7-11D2-ACF0-0060B0ECCA17},CN=IP Security,CN=System,DC=domain,DC=com
 
 
# record 10
 
dn: CN=mail,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 11
 
dn: CN=d85c0bfd-094f-4cad-a2b5-82ac9268475d,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 12
 
dn: CN=ObjectMoveTable,CN=FileLinks,CN=System,DC=domain,DC=com
 
 
# record 13
 
dn: CN=2416c60a-fe15-4d7a-a61e-dffd5df864d3,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 14
 
dn: CN=6ada9ff7-c9df-45c1-908e-9fef2fab008a,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 15
 
dn: CN=ipsecNFA{7238523E-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=domain,DC=com
 
 
# record 16
 
dn: CN=byuser,CN=netgroup,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 17
 
dn: CN=byname,CN=networks,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 18
 
dn: CN=Domain Controllers,CN=Users,DC=domain,DC=com
 
 
# record 19
 
dn: CN=bygid,CN=group,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 20
 
dn: CN=Meetings,CN=System,DC=domain,DC=com
 
 
# record 21
 
dn: CN=Policies,CN=System,DC=domain,DC=com
 
 
# record 22
 
dn: CN=f607fd87-80cf-45e2-890b-6cf97ec0e284,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 23
 
dn: CN=FileLinks,CN=System,DC=domain,DC=com
 
 
# record 24
 
dn: CN=Schema Admins,CN=Users,DC=domain,DC=com
 
 
# record 25
 
dn: CN=Cert Publishers,CN=Users,DC=domain,DC=com
 
 
# record 26
 
dn: CN=byuid,CN=passwd,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 27
 
dn: CN=Account Operators,CN=Builtin,DC=domain,DC=com
 
 
# record 28
 
dn: CN=Cryptographic Operators,CN=Builtin,DC=domain,DC=com
 
 
# record 29
 
dn: CN=Print Operators,CN=Builtin,DC=domain,DC=com
 
 
# record 30
 
dn: CN=Replicator,CN=Builtin,DC=domain,DC=com
 
 
# record 31
 
dn: CN=6E157EDF-4E72-4052-A82A-EC3F91021A22,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 32
 
dn: CN=passwd,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 33
 
dn: CN=Terminal Server License Servers,CN=Builtin,DC=domain,DC=com
 
 
# record 34
 
dn: CN={6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domain,DC=com
 
 
# record 35
 
dn: CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 36
 
dn: CN=Performance Monitor Users,CN=Builtin,DC=domain,DC=com
 
 
# record 37
 
dn: CN=AppCategories,CN=Default Domain Policy,CN=System,DC=domain,DC=com
 
 
# record 38
 
dn: CN=ipsecPolicy{72385236-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=domain,DC=com
 
 
# record 39
 
dn: CN=ComPartitions,CN=System,DC=domain,DC=com
 
 
# record 40
 
dn: CN=bootparams,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 41
 
dn: CN=Denied RODC Password Replication Group,CN=Users,DC=domain,DC=com
 
 
# record 42
 
dn: CN=group,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 43
 
dn: CN=hosts,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 44
 
dn: CN=2951353e-d102-4ea5-906c-54247eeec741,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 45
 
dn: CN=6bcd5689-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 46
 
dn: CN=a86fe12a-0f62-4e2a-b271-d27f601f8182,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 47
 
dn: CN=0b7fb422-3609-4587-8c2e-94b10f67d1bf,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 48
 
dn: CN=5c82b233-75fc-41b3-ac71-c69592e6bf15,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 49
 
dn: CN=Read-only Domain Controllers,CN=Users,DC=domain,DC=com
 
 
# record 50
 
dn: CN=ipsecNegotiationPolicy{72385233-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=domain,DC=com
 
 
# record 51
 
dn: CN=ipsecNegotiationPolicy{59319BDF-5EE3-11D2-ACE8-0060B0ECCA17},CN=IP Security,CN=System,DC=domain,DC=com
 
 
# record 52
 
dn: CN=ipsecPolicy{7238523C-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=domain,DC=com
 
 
# record 53
 
dn: CN=6bcd5680-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 54
 
dn: CN=byname,CN=ethers,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 55
 
dn: CN=IP Security,CN=System,DC=domain,DC=com
 
 
# record 56
 
dn: CN=6bcd568c-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 57
 
dn: CN=6bcd5685-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 58
 
dn: CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domain,DC=com
 
 
# record 59
 
dn: CN=WMIPolicy,CN=System,DC=domain,DC=com
 
 
# record 60
 
dn: CN=ipsecNegotiationPolicy{7238523F-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=domain,DC=com
 
 
# record 61
 
dn: CN=RID Manager$,CN=System,DC=domain,DC=com
 
 
# record 62
 
dn: CN=ipsecFilter{7238523A-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=domain,DC=com
 
 
# record 63
 
dn: CN=Password Settings Container,CN=System,DC=domain,DC=com
 
 
# record 64
 
dn: CN=Default Domain Policy,CN=System,DC=domain,DC=com
 
 
# record 65
 
dn: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=domain,DC=com
 
 
# record 66
 
dn: CN=byaddr,CN=netmasks,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 67
 
dn: CN=6bcd568d-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 68
 
dn: CN=6bcd567d-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 69
 
dn: CN=NTDS Quotas,DC=domain,DC=com
 
 
# record 70
 
dn: CN=ipsecISAKMPPolicy{72385231-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=domain,DC=com
 
 
# record 71
 
dn: CN=ipsecISAKMPPolicy{7238523D-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=domain,DC=com
 
 
# record 72
 
dn: CN=Distributed COM Users,CN=Builtin,DC=domain,DC=com
 
 
# record 73
 
dn: CN=293f0798-ea5c-4455-9f5d-45f33a30703b,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 74
 
dn: CN=Domain Guests,CN=Users,DC=domain,DC=com
 
 
# record 75
 
dn: CN=6bcd567e-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 76
 
dn: CN=RAS and IAS Servers Access Check,CN=System,DC=domain,DC=com
 
 
# record 77
 
dn: CN=Dfs-Configuration,CN=System,DC=domain,DC=com
 
 
# record 78
 
dn: CN=RID Set,CN=VIRGIN,OU=Domain Controllers,DC=domain,DC=com
 
 
# record 79
 
dn: CN=Certificate Service DCOM Access,CN=Builtin,DC=domain,DC=com
 
 
# record 80
 
dn: CN=Builtin,DC=domain,DC=com
 
 
# record 81
 
dn: CN=byhost,CN=netgroup,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 82
 
dn: CN=Microsoft,CN=Program Data,DC=domain,DC=com
 
 
# record 83
 
dn: CN=bynumber,CN=protocols,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 84
 
dn: CN=MicrosoftDNS,CN=System,DC=domain,DC=com
 
 
# record 85
 
dn: CN=Enterprise Read-only Domain Controllers,CN=Users,DC=domain,DC=com
 
 
# record 86
 
dn: CN=S-1-5-9,CN=ForeignSecurityPrincipals,DC=domain,DC=com
 
 
# record 87
 
dn: CN=dda1d01d-4bd7-4c49-a184-46f9241b560e,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 88
 
dn: CN=System,DC=domain,DC=com
 
 
# record 89
 
dn: CN=sme-server,CN=networks,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 90
 
dn: CN=71482d49-8870-4cb3-a438-b6fc9ec35d70,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 91
 
dn: CN=Backup Operators,CN=Builtin,DC=domain,DC=com
 
 
# record 92
 
dn: CN=8ca38317-13a4-4bd4-806f-ebed6acb5d0c,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 93
 
dn: CN=shadow,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 94
 
dn: CN=krbtgt,CN=Users,DC=domain,DC=com
 
 
# record 95
 
dn: CN=Domain Computers,CN=Users,DC=domain,DC=com
 
 
# record 96
 
dn: CN=Server,CN=System,DC=domain,DC=com
 
 
# record 97
 
dn: CN=ipsecNFA{59319C04-5EE3-11D2-ACE8-0060B0ECCA17},CN=IP Security,CN=System,DC=domain,DC=com
 
 
# record 98
 
dn: CN=Program Data,DC=domain,DC=com
 
 
# record 99
 
dn: CN=DFSR-GlobalSettings,CN=System,DC=domain,DC=com
 
 
# record 100
 
dn: CN=ab402345-d3c3-455d-9ff7-40268a1099b6,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 101
 
dn: CN=ipsecNegotiationPolicy{59319C01-5EE3-11D2-ACE8-0060B0ECCA17},CN=IP Security,CN=System,DC=domain,DC=com
 
 
# record 102
 
dn: CN=aliases,CN=mail,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 103
 
dn: OU=Domain Controllers,DC=domain,DC=com
 
 
# record 104
 
dn: CN=User,CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domain,DC=com
 
 
# record 105
 
dn: CN=ipsecFilter{72385235-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=domain,DC=com
 
 
# record 106
 
dn: CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 107
 
dn: CN=Guests,CN=Builtin,DC=domain,DC=com
 
 
# record 108
 
dn: CN=ethers,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 109
 
dn: CN=ipsecNFA{594272E2-071D-11D3-AD22-0060B0ECCA17},CN=IP Security,CN=System,DC=domain,DC=com
 
 
# record 110
 
dn: CN=ipsecNFA{72385232-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=domain,DC=com
 
 
# record 111
 
dn: CN=PolicyTemplate,CN=WMIPolicy,CN=System,DC=domain,DC=com
 
 
# record 112
 
dn: CN=61b34cb0-55ee-4be9-b595-97810b92b017,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 113
 
dn: CN=c88227bc-fcca-4b58-8d8a-cd3d64528a02,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 114
 
dn: CN=bab5f54d-06c8-48de-9b87-d78b796564e4,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 115
 
dn: CN=9738c400-7795-4d6e-b19d-c16cd6486166,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 116
 
dn: CN=byname,CN=protocols,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 117
 
dn: CN=admin,CN=Users,DC=domain,DC=com
 
 
# record 118
 
dn: CN=b96ed344-545a-4172-aa0c-68118202f125,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 119
 
dn: CN=byname,CN=hosts,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 120
 
dn: CN=0e660ea3-8a5e-4495-9ad7-ca1bd4638f9e,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 121
 
dn: CN=bydefaults,CN=bootparams,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 122
 
dn: CN=ComPartitionSets,CN=System,DC=domain,DC=com
 
 
# record 123
 
dn: CN=File Replication Service,CN=System,DC=domain,DC=com
 
 
# record 124
 
dn: CN=sme-server,CN=rpc,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 125
 
dn: CN=51cba88b-99cf-4e16-bef2-c427b38d0767,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 126
 
dn: CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=domain,DC=com
 
 
# record 127
 
dn: CN=4aaabc3a-c416-4b9c-a6bb-4b453ab1c1f0,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 128
 
dn: CN=57428d75-bef7-43e1-938b-2e749f5a8d56,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 129
 
dn: CN=4dfbb973-8a62-4310-a90c-776e00f83222,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 130
 
dn: CN=446f24ea-cfd5-4c52-8346-96e170bcb912,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 131
 
dn: CN=root,CN=Users,DC=domain,DC=com
 
 
# record 132
 
dn: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=domain,DC=com
 
 
# record 133
 
dn: CN=de10d491-909f-4fb0-9abb-4b7865c0fe80,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 134
 
dn: CN=4c93ad42-178a-4275-8600-16811d28f3aa,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 135
 
dn: CN=byname,CN=passwd,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 136
 
dn: CN=ipsecISAKMPPolicy{72385237-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=domain,DC=com
 
 
# record 137
 
dn: CN=Infrastructure,DC=domain,DC=com
 
 
# record 138
 
dn: CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=domain,DC=com
 
 
# record 139
 
dn: CN=6bcd5681-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 140
 
dn: CN=ForeignSecurityPrincipals,DC=domain,DC=com
 
 
# record 141
 
dn: CN=6bcd5686-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 142
 
dn: CN=aed72870-bf16-4788-8ac7-22299c8207f1,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 143
 
dn: CN=Users,CN=Builtin,DC=domain,DC=com
 
 
# record 144
 
dn: CN=netid,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 145
 
dn: CN=Remote Desktop Users,CN=Builtin,DC=domain,DC=com
 
 
# record 146
 
dn: CN=Event Log Readers,CN=Builtin,DC=domain,DC=com
 
 
# record 147
 
dn: CN=byname,CN=services,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 148
 
dn: CN=Enterprise Admins,CN=Users,DC=domain,DC=com
 
 
# record 149
 
dn: CN=ipsecNFA{59319BE2-5EE3-11D2-ACE8-0060B0ECCA17},CN=IP Security,CN=System,DC=domain,DC=com
 
 
# record 150
 
dn: CN=6bcd5682-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 151
 
dn: CN=ActiveDirectoryUpdate,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 152
 
dn: CN=6bcd5687-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 153
 
dn: CN=S-1-5-17,CN=ForeignSecurityPrincipals,DC=domain,DC=com
 
 
# record 154
 
dn: CN=sme-server,CN=protocols,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 155
 
dn: CN=sme-server,CN=ethers,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 156
 
dn: CN=services,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 157
 
dn: CN=9cac1f66-2167-47ad-a472-2a13251310e4,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 158
 
dn: CN=sme-server,CN=mail,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 159
 
dn: CN=byname,CN=netid,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 160
 
dn: DC=c.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=domain,DC=com
 
 
# record 161
 
dn: CN=6bcd568a-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 162
 
dn: CN=6bcd567a-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 163
 
dn: CN=bydefaults,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 164
 
dn: DC=l.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=domain,DC=com
 
 
# record 165
 
dn: CN=Allowed RODC Password Replication Group,CN=Users,DC=domain,DC=com
 
 
# record 166
 
dn: CN=6bcd567f-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 167
 
dn: CN=6ff880d6-11e7-4ed1-a20f-aac45da48650,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 168
 
dn: CN=sme-server,CN=group,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 169
 
dn: CN=sme-server,CN=hosts,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 170
 
dn: CN=6bcd5678-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 171
 
dn: CN=sme-server,CN=passwd,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 172
 
dn: CN=Machine,CN={6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domain,DC=com
 
 
# record 173
 
dn: CN=bydefaults,CN=shadow,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 174
 
dn: CN=netgroup,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 175
 
dn: DC=e.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=domain,DC=com
 
 
# record 176
 
dn: CN=231fb90b-c92a-40c9-9379-bacfc313a3e3,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 177
 
dn: CN=PolicyType,CN=WMIPolicy,CN=System,DC=domain,DC=com
 
 
# record 178
 
dn: CN=sme-server,CN=services,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 179
 
dn: CN=7868d4c8-ac41-4e05-b401-776280e8e9f1,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 180
 
dn: DC=g.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=domain,DC=com
 
 
# record 181
 
dn: CN=3051c66f-b332-4a73-9a20-2d6a7d6e6a1c,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 182
 
dn: CN=Incoming Forest Trust Builders,CN=Builtin,DC=domain,DC=com
 
 
# record 183
 
dn: CN=ipsecNFA{594272FD-071D-11D3-AD22-0060B0ECCA17},CN=IP Security,CN=System,DC=domain,DC=com
 
 
# record 184
 
dn: CN=netmasks,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 185
 
dn: CN=Users,DC=domain,DC=com
 
 
# record 186
 
dn: CN=byaddr,CN=mail,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 187
 
dn: CN=WinsockServices,CN=System,DC=domain,DC=com
 
 
# record 188
 
dn: DC=i.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=domain,DC=com
 
 
# record 189
 
dn: CN=860c36ed-5241-4c62-a18b-cf6ff9994173,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 190
 
dn: CN=Guest,CN=Users,DC=domain,DC=com
 
 
# record 191
 
dn: CN=DnsUpdateProxy,CN=Users,DC=domain,DC=com
 
 
# record 192
 
dn: CN=sme-server,CN=bootparams,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 193
 
dn: DC=b.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=domain,DC=com
 
 
# record 194
 
dn: CN=8437C3D8-7689-4200-BF38-79E4AC33DFA0,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 195
 
dn: CN=WMIGPO,CN=WMIPolicy,CN=System,DC=domain,DC=com
 
 
# record 196
 
dn: CN=AdminSDHolder,CN=System,DC=domain,DC=com
 
 
# record 197
 
dn: CN=bydefaults,CN=netgroup,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 198
 
dn: DC=k.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=domain,DC=com
 
 
# record 199
 
dn: CN=ipsecNegotiationPolicy{7238523B-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=domain,DC=com
 
 
# record 200
 
dn: CN=RAS and IAS Servers,CN=Users,DC=domain,DC=com
 
 
# record 201
 
dn: CN=Computers,DC=domain,DC=com
 
 
# record 202
 
dn: DC=@,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=domain,DC=com
 
 
# record 203
 
dn: CN=VIRGIN,OU=Domain Controllers,DC=domain,DC=com
 
 
# record 204
 
dn: DC=d.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=domain,DC=com
 
 
# record 205
 
dn: CN=rpc,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 206
 
dn: CN=DnsAdmins,CN=Users,DC=domain,DC=com
 
 
# record 207
 
dn: CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 208
 
dn: CN=Administrator,CN=Users,DC=domain,DC=com
 
 
# record 209
 
dn: DC=m.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=domain,DC=com
 
 
# record 210
 
dn: CN=SOM,CN=WMIPolicy,CN=System,DC=domain,DC=com
 
 
# record 211
 
dn: CN=Network Configuration Operators,CN=Builtin,DC=domain,DC=com
 
 
# record 212
 
dn: DC=f.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=domain,DC=com
 
 
# record 213
 
dn: CN=sme-server,CN=netmasks,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 214
 
dn: CN=a1789bfb-e0a2-4739-8cc0-e77d892d080a,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 215
 
dn: CN=Content,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=domain,DC=com
 
 
# record 216
 
dn: DC=h.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=domain,DC=com
 
 
# record 217
 
dn: CN=8ddf6913-1c7b-4c59-a5af-b9ca3b3d2c4c,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 218
 
dn: CN=7ffef925-405b-440a-8d58-35e8cd6e98c3,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 219
 
dn: CN=LostAndFound,DC=domain,DC=com
 
 
# record 220
 
dn: CN=Server Operators,CN=Builtin,DC=domain,DC=com
 
 
# record 221
 
dn: CN=f7ed4553-d82b-49ef-a839-2f38a36bb069,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 222
 
dn: DC=a.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=domain,DC=com
 
 
# record 223
 
dn: CN=7cfb016c-4f87-4406-8166-bd9df943947f,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 224
 
dn: CN=f3dd09dd-25e8-4f9c-85df-12d6d2f2f2f5,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 225
 
dn: CN=S-1-5-4,CN=ForeignSecurityPrincipals,DC=domain,DC=com
 
 
# record 226
 
dn: CN=byaddr,CN=networks,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 227
 
dn: DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=domain,DC=com
 
 
# record 228
 
dn: CN=sme-server,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 229
 
dn: DC=j.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=domain,DC=com
 
 
# record 230
 
dn: CN=sme-server,CN=shadow,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 231
 
dn: CN=6bcd5683-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 232
 
dn: CN=Windows2003Update,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 233
 
dn: CN=6bcd5688-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 234
 
dn: CN=Domain Users,CN=Users,DC=domain,DC=com
 
 
# record 235
 
dn: DC=domain,DC=com
 
 
# record 236
 
dn: CN=98de1d3e-6611-443b-8b4e-f4337f1ded0b,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 237
 
dn: CN=protocols,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 238
 
dn: CN=3c784009-1f57-4e2a-9b04-6915c9e71961,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 239
 
dn: CN=User,CN={6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domain,DC=com
 
 
# record 240
 
dn: CN=Administrators,CN=Builtin,DC=domain,DC=com
 
 
# record 241
 
dn: CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 242
 
dn: CN=byname,CN=group,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 243
 
dn: CN=6bcd568b-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 244
 
dn: CN=6bcd5684-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 245
 
dn: CN=6bcd567b-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 246
 
dn: CN=Domain Admins,CN=Users,DC=domain,DC=com
 
 
# record 247
 
dn: CN=VolumeTable,CN=FileLinks,CN=System,DC=domain,DC=com
 
 
# record 248
 
dn: CN=6bcd5679-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 249
 
dn: CN=Group Policy Creator Owners,CN=Users,DC=domain,DC=com
 
 
# record 250
 
dn: CN=ebad865a-d649-416f-9922-456b53bbb5b8,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 251
 
dn: CN=ipsecNFA{59319BF3-5EE3-11D2-ACE8-0060B0ECCA17},CN=IP Security,CN=System,DC=domain,DC=com
 
 
# record 252
 
dn: CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 253
 
dn: CN=Performance Log Users,CN=Builtin,DC=domain,DC=com
 
 
# record 254
 
dn: CN=Machine,CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domain,DC=com
 
 
# record 255
 
dn: CN=Windows Authorization Access Group,CN=Builtin,DC=domain,DC=com
 
 
# record 256
 
dn: CN=3e4f4182-ac5d-4378-b760-0eab2de593e2,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 257
 
dn: CN=6bcd567c-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 258
 
dn: CN=byaddr,CN=hosts,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 259
 
dn: CN=sme-server,CN=netid,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 260
 
dn: CN=networks,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# record 261
 
dn: CN=13d15cf0-e6c8-11d6-9793-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 262
 
dn: CN=c4f17608-e611-11d6-9793-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=domain,DC=com
 
 
# record 263
 
dn: CN=sme-server,CN=netgroup,CN=ypServ30,CN=RpcServices,CN=System,DC=domain,DC=com
 
 
# Referral
 
ref: ldap://domain.com/CN=Configuration,DC=domain,DC=com
 
 
# Referral
 
ref: ldap://domain.com/DC=DomainDnsZones,DC=domain,DC=com
 
 
# Referral
 
ref: ldap://domain.com/DC=ForestDnsZones,DC=domain,DC=com
 
 
# returned 266 records
 
# 263 entries
 
# 3 referrals
 
  
 
[[Category:Core Development]]
 
[[Category:Core Development]]

Latest revision as of 21:08, 3 October 2016

Sambalogo.png

Introduction

This wiki page will be used to track the integration effort of Samba 4 into SME 9+

Lead developer: Gzartman

Overview and Objectives

The primary objective of this effort is to create Active Directory support on SME 9+ with a focus on simplicity and easy integration, as is done on many of the other sub-systems on SME Server. Other distributions with Samba 4 support take the approach of providing a fairly complex front end to Samba 4 with many configuration parameters and options. Our approach for Samba 4 is to stream line implementation to provide a straight forward and simple set of UI parameters for the administrator to deploy Active Directory in a configuration that will work in most deployments. Support for the full array of Samba 4 options is provided under the hood in SME Server, but will be available primary from the console. The SME Server community may decide to create an Advanced Samba server-manager panel to control and configure some of the more advanced features available in Samba 4, but the Core SME Server deployment of Active Directory will remain focused on simplicity.

Deployment of Samba 4 on SME Server means that many of the authentication mechanisms on SME Server need to change to integrate with Active Directory, therefore this development effort is quite far reaching.

Samba 4 on SME Server is targeted for Koozali SME Server 10

Current Status

Current Release: Alpha 7

Samba 4 on SME Server will be provided by way of the package smeserver-samba, which will upgrade and obsolete e-smith-samba. The current release of Samba 4 on SME Server is available here: SME Server Samba 4 Packages

These packages are currently not provided by the Koozali buildsys because there is still a fair bit of work to do to integrate this code with existing SME services. Since Samba 4 on SME Server includes many other sub-systems, inclusion of the Samba 4 code is not being including in current development streams until the code is closer to release so as not to hold up other development activities. However, this code is available in CVS.

Samba 4 Packages

Upstream Centos 6 and 7 do not provide Samba 4 packages with full Active Directory support. This is because Samba 4 Kerberos is based upon Heimdal Kerberos whereas the upstream vendor uses MIT Kerberos. Heimdal Kerberos and MIT Kerberos are not compatible with one another and so the upstream vendor has decided to disable Kerberos support in Samba until such time as Samba supports MIT Kerberos. Details can be found here https://wiki.samba.org/index.php/MIT_Build and here https://blog.cryptomilk.org/2014/07/09/samba-ad-dc-in-fedora-and-rhel/

To provide Active Directory support, the Koozali devteam has decided to fork the upstream Samba 4 package and re-compile with Heimdal Kerberos support on Koozali SME Server 10. Details of this rebuild are located in bugzilla:9751. Support for Active Directory on SME 9 can be provided by Sernet Samba 4.2 packages, which are the last set of open source Sernet packages. However, the devteam is currently focusing development effort on SME 10.

Installation

RPMs for this release can be found here: SME Server Samba 4 Packages

Install Instructions:

  1. Download all rpms to a fresh SME 9.1 install.
  2. yum localinstall *.rpm
  3. signal-event post-upgrade; signal-event reboot
  4. Once the server comes back up, provision the domain with: signal-event provision-domain-controller admin_password

Note: The password utilities in the server-manager are not yet working. We will be working to include SSSD in the next alpha and then all password utilities and functions will work as expected.

Change Log / Release Notes

Alpha 7

  • Implementation of Samba 4 on SME 10.
  • Drop bootstrap-console patch for e-smith-base for provisioning samba 4 from the console. We'll add this back in later

Alpha 6

  • Final alpha on SME 9. Going forward, this code will be moved to the SME 10 alpha release for ongoing development and testing
  • Change the way we are naming alpha package versions because it is becoming difficult to apply alpha level changes with patch files. Each alpha release will have its own source archive. Source archive (.tar.xz) file version numbers will track with the alpha release number.
  • Rewrite server-manager user accounts panel for AD integration, except for the Reset Password link. We won't be able to update this function until we deploy SSSD, which will come in the next release
  • Move smb.conf and AD schema extension fragments to /etc/samba
  • Extend AD schema to include the attributes: lockable, removable, and emailForward
  • Change the koozliUser objectClass to smeExtended for extended schema attributes
  • Get rid of the user-create-AD action because we don't have enough control over the user create process in a server-manager panel using an action. Instead, we added the esmith::util::createADUser() function that sets up a basic Active Directory user. This function is somewhat analogous to the useradd utility
  • Drop "Legacy Mode," which was part of the user-create-AD action
  • Replace user-create event with user-initialize
  • Add user-create-profiledir and user-create-home actions as part of the user-intialize event, since the useradd utility used to do this
  • Update user-modify, user-delete, user-lock events for AD integration
  • Create user-AD-enable and user-AD-disable actions
  • Extensive clean-up of smb.conf fragments now that we have a working Samba 4 deployment, including default configuration dbase parameters. This clean-up and enhancement results in a very clean smb.conf file
  • Update qmail and .qmail template fragments and configuration to pull user data from the Active Directory. Spam and filtering fragments have been excluded because we have not yet decided how to handle these configuration in the Active Directory
  • Further enhancement and refinement to esmith::AD

Alpha 5

  • Extend Active Directory schema to include quota and smeCustom attributes via the koozaliUser objectClass
  • Remove adjust-samba event and use services2adjust
  • Add Group-create-AD action
  • Design changes to provision-domain-controller and bootstrap-provision-dc events to provision samba entirely cold using ldif
  • Add pseudonym support to esmith::AD
  • Further enhancement to esmith::AD to provide user & group management functionality similar to that provided by AccountsDB
  • Re-write createlinks to flow a more logical sequence
  • Fix dnsforwarder in smb.conf
  • Fix several esmith::AD::User and esmith::AD::Group methods broken in 0.1-0-3 when we added runtime binding

Alpha 4

  • Add dnscache and tinydns config per bug [SME: 9711]
  • Add iptables preroute rule for DNS per bug [SME: 9711]
  • Fix issues with domain admins assignment during provisioning
  • Nearly full re-write of user-create-AD action to utilize esmith::AD class
  • Add Legacy Mode to user-create-AD action to allow this action to work with AccountsDB
  • Add user-create-AD to user-create event
  • Add user-AD-disable action to disable AD user
  • Continued development and enhancement to esmith::AD including POD documentation
  • Continued development and enhancement to esmith::AD::User including POD documentation
  • Add esmith::AD::OU to manage Organizational Units in the Active Directory
  • Fix realm definition in provision action

Alpha 3

  • Reconfigure provision event to account for default Samba complex password policy
  • Abstract core LDAP queries in esmith::AD using runtime binding

Alpha 2

  • Set requires to e-smith-base-5.6.0-30+ [SME:8668]
  • Set requires for e-smith-LPRng-2.5.0+ [SME:8632]

Alpha 1

  • Roll new smeserver alpha package for Samba4 [SME:8075]


Bugzilla references

bugzilla:4667
bugzilla:8075 Adding Samba 4
bugzilla:8632 Remove smb.conf template fragments from e-smith-LPRng-2.4.0-1
bugzilla:8638 Modify e-smith-dnscache for Samba 4 support
bugzilla:8660 User account authentication with Active Directory and AccountsDB
bugzilla:8663 Proftpd and active directory authentication (Samba 4)
bugzilla:8665 esmith::AD perl module for interacting with Active Directory
bugzilla:8668 Get rid of PPTP when we upgrade to Samba 4
bugzilla:8670 Qmail updates for Samba 4
bugzilla:8674 Remove smbpasswd and WINS pieces for Samba 4
bugzilla:8675 e-smith-LDAP + Samba 4
bugzilla:8687 Add SSSD daemon for Samba 4 local authentication
bugzilla:8703 Samba 4: Home directory
bugzilla:9651 Remove Samba Parts from esmith::Util for Samba 4
bugzilla:9653 Pseudonyms handling with Active Directory
bugzilla:9662 System Initialization and Re-Configuration with Active Directory
bugzilla:9700 Consider removing /sbin/e-smith/samba_check_password
bugzilla:9708 Evaluate registry fragments in server-resources for Samba 4
bugzilla:9711 Include dnscache and tinydns config in smeserver-samba for Samba 4 DNS queries
bugzilla:9712 Reconfigure shadowcopy for Samba 4
bugzilla:9713 Reconfigure recycle bin for Samba 4
bugzilla:9715 Modify e-smith-dnscache to allow connections from entire loopback network
bugzilla:9755 Re-Write Users Panel for AD integration
bugzilla:9799 Update esmith::util::chown for Samba users
bugzilla:9800 Update e-smith-quota to process quotas for active directory users
bugzilla:9802 Modify user events/actions and server-manager panel
bugzilla:9804 Update password functions in esmith::util for Samba 4
bugzilla:9806 e-smith-openssh modifications for Samba 4
bugzilla:9807 smeserver-qpsmtpd changes for Samba 4

Active Directory Schema

Following is a direct dump of the active directory from a freshly provisioned SME Server domain. The DNS/Kerberos domain is domain.com, the hostname is virgin, and the windows domain is sme-server. The ipaddress for this test machine is 192.168.0.67. These data is quite long, but I found it very useful; as it is extremely difficult to find these attributes in any documentation about Samba 4 and ADDC:

Samba 4 Active Directory Schema

Misc Development Topics

References

  1. http://dev.nethserver.org/projects/nethserver/wiki/Samba4 (Thanks Filippo!)
  2. https://lists.samba.org/archive/samba/2014-April/180336.html
  3. https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
  4. http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controller