[Samba] Verify if Samba AD was provisioned with RFC2037
Marco Shmerykowsky
marco at sce-engineers.com
Sun Jan 3 20:21:06 UTC 2021
On 2021-01-03 2:52 pm, Marco Shmerykowsky via samba wrote:
> On 2021-01-03 1:58 pm, Rowland penny via samba wrote:
>> On 03/01/2021 18:33, Marco Shmerykowsky via samba wrote:
>>>
>>> On 2021-01-03 11:38 am, Rowland penny via samba wrote:
>>>> On 03/01/2021 15:35, Marco Shmerykowsky wrote:
>>>>>
>>>>>
>>>>> On 2021-01-03 10:19 am, Rowland penny via samba wrote:
>>>>>> On 03/01/2021 15:05, Marco Shmerykowsky via samba wrote:
>>>>>>>
>>>>>>> On 2021-01-03 9:53 am, Rowland penny via samba wrote:
>>>>>>>> On 03/01/2021 14:32, Marco Shmerykowsky via samba wrote:
>>>>>>>>> Is there a way to confirm whether a samba AD was
>>>>>>>>> provisioned using RFC2307?
>>>>>>>>
>>>>>>>> All that provisioning with '--use-rfc2307' does is to put
>>>>>>>> 'idmap_ldb:use rfc2307' into the first DC's smb.conf (a 'join'
>>>>>>>> doesn't
>>>>>>>> do this) and adds the 'ypServ30.ldif' to AD. The first makes
>>>>>>>> DC's use
>>>>>>>> uidNumber & gidNumber attributes from AD instead of the
>>>>>>>> xidNumber
>>>>>>>> attributes from idmap.ldb. The second makes the Unix attributes
>>>>>>>> tabs
>>>>>>>> work in ADUC, only problem is, they no longer exist 🙁
>>>>>>>>
>>>>>>>> All of the RFC2307 attributes are in the AD schema by default,
>>>>>>>> even if
>>>>>>>> you provision without '--use-rfc2307'.
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>
>>>>>>> I see. The reason I ask is that I'm trying to use an extended
>>>>>>> query
>>>>>>> in a pfsense/openvpn setup and the query seems to fail. I'm
>>>>>>> fairly
>>>>>>> certain I have the query correct (although I could be wrong).
>>>>>>>
>>>>>>> In googling I came across some discussion that RFC2307 can create
>>>>>>> issues
>>>>>>> with the extended query (https://redmine.pfsense.org/issues/9527)
>>>>>>>
>>>>>> That link seems to refer to IPA and AD is different, For instance
>>>>>> you
>>>>>> cannot rely on the 'posix' objectclasses being in AD (in fact
>>>>>> anything
>>>>>> that does, is, in my opinion, broken), the 'posix objectclasses
>>>>>> are
>>>>>> auxiliary objectclasses of Windows objectclasses and as such are
>>>>>> not
>>>>>> required.
>>>>>>
>>>>>> What is your search query and what do you expect the results to be
>>>>>> ?
>>>>>
>>>>> my query is ->
>>>>> memberOf=CN=VPN-Users,CN=users,DC=internal,DC=external,DC=com
>>>>>
>>>>> Users who will be allowed access to the VPN are assigned to a
>>>>> security group
>>>>> named "VPN-Users". I then used Softerra's ldapbrowser
>>>>> (www.ldapadministrator.com)
>>>>> to look at one of the users in the group and pulled the syntax for
>>>>> the "memberof"
>>>>> attribute that listed the VPN-User group.
>>>>>
>>>>> I would expect the extend query to validate a user who is a member
>>>>> of the VPN-Users group.
>>>>
>>>> OK, I do not have a group called 'VPN-Users', but I do have one
>>>> called
>>>> 'vpnusers', so try this (adapted for your setup):
>>>>
>>>> ldbsearch -H ldap://samdom.example.com -b
>>>> 'dc=samdom,dc=example,dc=com' -s sub
>>>> '(&(memberOf=CN=vpnusers,CN=Users,DC=samdom,DC=example,DC=com)(sAMAccountName=rowland))'
>>>> -P
>>>>
>>>> or using ldapsearch:
>>>>
>>>> ldapsearch -H ldap://samdom.example.com -b
>>>> 'dc=samdom,dc=example,dc=com' -s sub
>>>> '(&(memberOf=CN=vpnusers,CN=Users,DC=samdom,DC=example,DC=com)(sAMAccountName=rowland))'
>>>> -D 'cn=Administrator,dc=samdom,dc=example,dc=com' -W
>>>>
>>>> Both of them work for myself, but the first one doesn't ask for a
>>>> password.
>>>>
>>>> Rowland
>>>
>>> Using ldbsearch I get the following:
>>>
>>> # Referral
>>> ref:
>>> ldap://internal.external.com/CN=Configuration,DC=internal,DC=external,DC=com
>>>
>>> # Referral
>>> ref:
>>> ldap://internal.externak.com/DC=DomainDnsZones,DC=internal,DC=external,DC=com
>>>
>>> # Referral
>>> ref:
>>> ldap://internal.external.com/DC=ForestDnsZones,DC=nternal,DC=external,DC=com
>>>
>>> # returned 3 records
>>> # 0 entries
>>> # 3 referrals
>>
>> If I run:
>>
>> ldbsearch -H ldap://samdom.example.com -b
>> 'dc=samdom,dc=example,dc=com' -s sub
>> '(&(objectCategory=person)(objectClass=user)(sAMAccountName=rowland))'
>> -P
>>
>> I get (heavily snipped):
>>
>> # record 1
>> dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
>> objectClass: top
>> objectClass: securityPrincipal
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: user
>> cn: Rowland Penny
>> sn: Penny
>> ...................
>> sAMAccountName: rowland
>> memberOf: CN=vpnusers,CN=Users,DC=samdom,DC=example,DC=com
>> .........................
>> distinguishedName: CN=Rowland
>> Penny,CN=Users,DC=samdom,DC=example,DC=com
>>
>> # Referral
>> ref:
>> ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com
>>
>> # Referral
>> ref:
>> ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com
>>
>> # Referral
>> ref:
>> ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com
>>
>> # returned 4 records
>> # 1 entries
>> # 3 referrals
>>
>> It doesn't matter whether I run it on a DC or a Unix domain member.
>>
>> Perhaps I should mention that 'samdom.example.com' is the DNS domain
>> and not a FQDN.
>>
>> Rowland
>
> The FQDN is my test case is samba_machine.internal.external.com.
>
> Therefore, I assume I should be replacing samdom.example.com
> with internal.external.com
>
> When I do that I get the following:
>
> resolve_lmhosts: Attempting lmhosts lookup for name
> internal.external.com<0x20>
> Server ldap/internal.external.com at EXTERNAL.COM is not registered with
> our KDC: Miscellaneous failure (see text): Server (krbtgt/EXTERNAL
> .COM at INTERNAL.EXTERNAL.COM) unknown
> gensec_spnego_create_negTokenInit_step: gssapi_krb5: creating
> NEG_TOKEN_INIT for ldap/internal.external.com failed (next[ntlmssp]):
> NT_STATUS_INVAL
> ID_PARAMETER
> Got challenge flags:
> Got NTLMSSP neg_flags=0x62898235
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x62088235
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088235
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088235
SCRATCH THAT. Dumb Typo. Absolutely hate having reached the age
where I require reading glasses....
I get the following:
sAMAccountName: jdoe
sAMAccountType: 805306368
userPrincipalName: jdoe at internal.external.com
objectCategory:
CN=Person,CN=Schema,CN=Configuration,DC=-internal,DC=external,DC=com
userAccountControl: 512
memberOf: CN=VPN-users,CN=Users,DC=internal,DC=external,DC=com
pwdLastSet: 131948897865228160
lastLogonTimestamp: 132540093326519270
description: Domain User
whenChanged: 20210102195038.0Z
uSNChanged: 57065
lastLogon: 132541770435095680
logonCount: 1647
distinguishedName: CN=jdoe,CN=Users,DC=internal,DC=external,DC=com
More information about the samba
mailing list