[Samba] Samba 4 Active Directory Quotas

[Greg Zartman]

I've been messing around with disk quotas for users and have seen some who
have extended the Samba 4 AD schema to include a quota attribute. For
example, I found this schema extension here:
http://fossies.org/linux/quota/ldap-scripts/quota.schema

Is there a common method for doing this?

--
Greg J. Zartman
Board Member

Koozali SME Server
www.koozali.org

SME Server user, contributor, and community member since 2000
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[Rowland Penny]

On 27/12/14 06:26, Greg Zartman wrote:
> I've been messing around with disk quotas for users and have seen some who
> have extended the Samba 4 AD schema to include a quota attribute. For
> example, I found this schema extension here:
> http://fossies.org/linux/quota/ldap-scripts/quota.schema
>
> Is there a common method for doing this?
>

Yes, samba4 comes with a script: oLschema2ldif

To use this, you just need to create a file containing the schema on the DC:

root@dc01:~# nano quota.schema

##
## schema file for Unix Quotas
## Schema for storing Unix Quotas in LDAP
## OIDs are owned by Cogent Innovators, LLC
##
## 1.3.6.1.4.1.19937.1.1.x - attributetypes
## 1.3.6.1.4.1.19937.1.2.x - objectclasses
##

attributetype ( 1.3.6.1.4.1.19937.1.1.1 NAME 'quota'
DESC 'Quotas (FileSystem:BlocksSoft,BlocksHard,InodesSoft,InodesHard)'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} )

objectclass ( 1.3.6.1.4.1.19937.1.2.1 NAME 'systemQuotas' SUP
posixAccount AUXILIARY
DESC 'System Quotas'
MUST ( uid )
MAY ( quota ))

Run this file through oLschema2ldif

NOTE: the 'basedn' is your rootdse, -I is where the ldif is and what you
called it, -O is is where you want the new file to be created and what
you want it to be called.

root@dc01:~# oLschema2ldif --basedn=DC=example,DC=com -I
/root/quota.schema -O /root/quota.ldif

OK, first time through, you get an error:

Invalid entry objectclass ( 1.3.6.1.4.1.19937.1.2.1 NAME 'systemQuotas'
SUP posixAccount AUXILIARY DESC 'System Quotas' MUST ( uid ) MAY
( quota )), closing braces needs to be preceeded by a space
Converted 1 records with 1 failures

Open the file again and change last line to this:

MAY ( quota ) )

Try again:

root@dc01:~# oLschema2ldif --basedn=DC=example,DC=com -I
/root/quota.schema -O /root/quota.ldif
Converted 2 records with 0 failures

If you now open the new .ldif, you will find this:

dn: CN=quota,CN=Schema,CN=Configuration,DC=example,DC=com
objectClass: top
objectClass: attributeSchema
attributeID: 1.3.6.1.4.1.19937.1.1.1
schemaIdGuid:: s4wz77EabBjOCl35dQG3Yg==
cn: quota
name: quota
lDAPDisplayName: quota
description: Quotas (FileSystem:BlocksSoft,BlocksHard,InodesSoft,InodesHard)
attributeSyntax: 2.5.5.5
oMSyntax: 22
isSingleValued: FALSE

dn: CN=systemQuotas,CN=Schema,CN=Configuration,DC=example,DC=com
objectClass: top
objectClass: classSchema
governsID: 1.3.6.1.4.1.19937.1.2.1
schemaIdGuid:: TIwbIzyiBNzZEmBeS1XO4A==
cn: systemQuotas
name: systemQuotas
lDAPDisplayName: systemQuotas
subClassOf: posixAccount
objectClassCategory: 3
description: System Quotas
mustContain: uid
mayContain: quota
defaultObjectCategory:
CN=systemQuotas,CN=Schema,CN=Configuration,DC=example,D
C=com

You would then add this ldif to AD with:

ldbmodify -H path_to_sam_ldb /root/quota.ldif --option="dsdb:schema
update allowed"=true

Note that the objectClass in the above ldif is a subclass of
'posixAccount' and to use it, you will have to add the 'uid' attribute
to all users, you do not need to add (and in fact should not) the
'posixAccount' objectClass'.

Rowland

[Greg Zartman]

On Sat, Dec 27, 2014 at 2:43 AM, Rowland Penny <rowlan...@googlemail.com>
wrote:

> Yes, samba4 comes with a script: oLschema2ldif
>

Humm... Not liking the errors in this method. Looking at the ldif, I
think we could rework this so that one could modify the LDAP schema
directly using LDAP syntax. In my case, I'm using Net::LDAP. Something
more like this:

dn: CN=systemQuotas,CN=Schema,CN=Configuration,DOMAIN_TOP_DN

objectClass: top
objectClass: classSchema
governsID: 1.3.6.1.4.1.19937.1.2.1

cn: systemQuotas
name: systemQuotas
ldapDisplayName: systemQuotas
subClassOf: posixAccount
objectClassCategory: 3
mustContain: uidNumber
mayContain: quota
defaultObjectCategory:
CN=systemQuotas,CN=Schema,CN=Configuration,DOMAIN_TOP_DN
possSuperiors: top
-

dn:
changetype: modify
replace: schemaupdatenow
schemaupdatenow: 1

Partially taken from here:
http://msdn.microsoft.com/en-us/library/cc223302.aspx

Need to test this out a bit more and add the quota attribute, but I think
this will ultimately add what I'm after.

> Note that the objectClass in the above ldif is a subclass of
> 'posixAccount' and to use it, you will have to add the 'uid' attribute to
> all users, you do not need to add (and in fact should not) the
> 'posixAccount' objectClass'.

Yup, I did find this objectClass, which I have been using to delineate
Centos (SME Server) users from other users in the active directory.

Thanks Rowland.

--
Greg J. Zartman
Board Member

Koozali SME Server
www.koozali.org

SME Server user, contributor, and community member since 2000

[Rowland Penny]

Not sure if this will work, but by all means try it, if you do, make
sure that you do it on a DC that you don't mind loosing, just in case it
screws up the AD.

If it does work, please let us know.

Rowland

>
>
>
>
> Note that the objectClass in the above ldif is a subclass of
> 'posixAccount' and to use it, you will have to add the 'uid'
> attribute to all users, you do not need to add (and in fact should
> not) the 'posixAccount' objectClass'.
>
>
> Yup, I did find this objectClass, which I have been using to delineate
> Centos (SME Server) users from other users in the active directory.
>
> Thanks Rowland.
>
> --
> Greg J. Zartman
> Board Member
>
> Koozali SME Server

> www.koozali.org <http://www.koozali.org>