[Samba] howto install sudo schema

shadrock uhuru niyalevi at gmail.com
Sun Aug 17 04:07:03 MDT 2014 

>
>   [Samba] howto install sudo schema
>
> *Rowland Penny* rowlandpenny at googlemail.com
> <mailto:samba%40lists.samba.org?Subject=Re%3A%20%5BSamba%5D%20howto%20install%20sudo%20schema&In-Reply-To=%3C53F06B6D.2040803%40googlemail.com%3E>
> /Sun Aug 17 02:44:29 MDT 2014/
>
>   * Previous message: [Samba] howto install sudo schema
>     <https://lists.samba.org/archive/samba/2014-August/184079.html>
>   * *Messages sorted by:* [ date ]
>     <https://lists.samba.org/archive/samba/2014-August/date.html#184081>
>     [ thread ]
>     <https://lists.samba.org/archive/samba/2014-August/thread.html#184081>
>     [ subject ]
>     <https://lists.samba.org/archive/samba/2014-August/subject.html#184081>
>     [ author ]
>     <https://lists.samba.org/archive/samba/2014-August/author.html#184081>
>
>
> ------------------------------------------------------------------------
> On 17/08/14 04:46, shadrock uhuru wrote:
> >/ Hi all
> />/ i have added the sudo attribute ldif and sudo class ldif files without
> />/ errors,
> />/ the following has also been added without errors.
> />/
> />/ dn: cn=%wheel_rule,ou=SUDOers,DC=tissisat,DC=co,DC=uk
> />/ objectClass: top
> />/ objectClass: sudoRole
> />/ cn: %wheel
> />/ sudoUser: %wheel
> />/ sudoHost: ALL
> />/ sudoCommand: ALL
> />/
> />/ using the info here
> />/ https://www.mail-archive.com/sssd-users@lists.fedorahosted.org/msg01792.html
> />/ i tried to set the acl which gave me these errors
> />/
> />/
> />/ $ sudo samba-tool dsacl set -H /etc/samba/private/sam.ldb
> />/ --objectdn="OU=SUDOers,dc=tissisat,dc=co,dc=uk " --sddl="(A;CI;RPLCRC;;;DC)"
> /This should work but you have an space    ^ here,  provided that sam.ldb 
> is in /etc/samba/private and dc= tissisat,dc=co,dc=uk is your rootdse.
the space was a typo error when writing the email but tried again using
$ sudo samba-tool dsacl set -H /etc/samba/private/sam.ldb
--objectdn="OU=SUDOers,dc=tissisat,dc=co,dc=uk" --sddl="(A;CI;RPLCRC;;;DC)"
got the same error.
>
> >/ ERROR(ldb): uncaught exception - NULL Base DN invalid for a base search
> />/    File "/usr/lib/python2.7/site-packages/samba/netcmd/__init__.py", line
> />/ 175, in _run
> />/      return self.run(*args, **kwargs)
> />/    File "/usr/lib/python2.7/site-packages/samba/netcmd/dsacl.py", line
> />/ 163, in run
> />/      sid = self.find_trustee_sid(samdb, trusteedn)
> />/    File "/usr/lib/python2.7/site-packages/samba/netcmd/dsacl.py", line
> />/ 88, in find_trustee_sid
> />/      scope=SCOPE_BASE)
> /
> It doesn't seem to like your rootdse, what does
> ldbsearch -H ldap://localhost -s base -b "" defaultNamingContext | grep 
> 'defaultNamingContext:' | sed 's|defaultNamingContext: ||'
>
> return ?
$ sudo ldbsearch -H ldap://localhost -s base -b "" defaultNamingContext
| grep 'defaultNamingContext:' | sed 's|defaultNamingContext: ||'
DC=tissisat,DC=co,DC=uk
>
> >/
> />/ $ sudo ldbedit -e nano -H /etc/samba/private/sam.ldb -b
> />/ dc=tissisat,dc=co,dc=uk
> />/ '(&(objectClass=organizationalUnit)(ou=sudoers))' nTSecurityDescriptor
> />/ no matching records - cannot edit
> /
> Try this:
>
> sudo ldbedit -e nano -H /etc/samba/private/sam.ldb --kerberos=yes 
> --krb5-ccache=/tmp/krb5cc_0 -b OU=SUDOers,dc=tissisat,dc=co,dc=uk -s sub 
> "(&(objectClass=organizationalUnit)(objectCategory=organizationalUnit))" 
> nTSecurityDescriptor
$ sudo ldbedit -e nano -H /etc/samba/private/sam.ldb --kerberos=yes
--krb5-ccache=/tmp/krb5cc_0 -b OU=SUDOers,dc=tissisat,dc=co,dc=uk -s sub
"(&(objectClass=organizationalUnit)(objectCategory=organizationalUnit))"
nTSecurityDescriptor

Invalid option --kerberos=yes: unknown option
Usage: ldbedit <options> <expression> <attributes ...>
Usage: [OPTION...]
  -H, --url=URL                   database URL
  -b, --basedn=DN                 base DN
  -e, --editor=PROGRAM            external editor
  -s, --scope=SCOPE               search scope
  -v, --verbose                   increase verbosity
      --trace                     enable tracing
  -i, --interactive               input from stdin
  -r, --recursive                 recursive delete
      --modules-path=PATH         modules path
      --num-searches=INT          number of test searches
      --num-records=INT           number of test records
  -a, --all                       (|(objectClass=*)(distinguishedName=*))
      --nosync                    non-synchronous transactions
  -S, --sorted                    sort attributes
  -o=OPTION                       ldb_connect option
      --controls=STRING           controls
      --show-binary               display binary LDIF
      --paged                     use a paged search
      --show-deleted              show deleted objects
      --show-recycled             show recycled objects
      --show-deactivated-link     show deactivated links
      --reveal                    reveal ldb internals
      --relax                     pass relax control
      --cross-ncs                 search across NC boundaries
      --extended-dn               show extended DNs
>
> Rowland
> >/
> />/ -----------------------------
> />/
> />/ could you detail the ldbsearch commands to list the attribute and class
> />/ details to check that the records have been added correctly ?
> />/ what is the right Base DN to set the acl ?
> />/
> />/ /
my samba version is*/
/*$ samba -V
Version 4.1.9

/Shadrock

/

More information about the samba mailing list