How do I query Samba (sam.ldb, other types of values - kerboros, auditing)

Sun Aug 25 20:45:38 MDT 2013

Hi Luke,

On 08/23/2013 01:58 PM, luke morrison wrote:
> Hello there,
> My name is Luke Morrison from Google Summer of Code. So my project is being implemented and works like the DNS updates in that it scans sysvol every X minutes (changeable through smb.conf), and reads all the Group Policy Objects and tries to find one important, if so updates Samba.
> Although more features are coming, this is the basic outline. So I want to make it cool now. I want to make it really useful, and I need some help. There are about roughly..........50-75 GPO's that "could" matter to Samba at the moment. And there are about 20 GPO's that "should" matter to Samba. Although there are thousands of possible GPO's most of them are fancy windows configuration stuff like screensaver, windows media stuff that Linux user do not care about. These are the ones I care about right now. Stuff like Kerboros default ticket ages, auditing logs (if supported in Samba), event auditing, and basic stuff like locking out user for getting X password fails. Enclosed are a few things (my question is really just in the enclosed file) that I would like to know how to query.
> Really all I need is a couple commands to query the database. Maybe couple choices for the various kinds of possible configurations I can snoop through. Then I can use LDAP mapping to have my service apply to Samba, and keep the Samba 4 DC clients well aware of GPO's that should be applied to them:). However as a standalone service, it seems to work quiet well so far, I just need to fill it out. I accidently locked myself out of my DC because I made a policy that has a password age of .25 seconds the other day, so this is a good sign :)
> Please see attached file for more information ,
> Best Regards,
> Luke MorrisonMaking Samba 4 DC clients awareGoogle Summer of Code 2013  		 	   		

Please get rid of hotmail of at least find a better mailer, you have to 
be super motivated to read such kind of email.

That being said.
Samba is reading the smb.conf to configure kerberos things (see 
kdc_get_policy in source4/rpc_server/lsa/dcesrv_lsa.c) so in theory you 
should update the smb.conf but from what I see we don't read this much 
often (ie. every time samba starts).
Second thing updating the smb.conf can prove to be quite complicated, we 
have a registry backend for smb.conf that makes things much easier.
But it's not the default configuration for Samba as AD DC so it might 
prove not so useful.

>Amount of times you have to fail a logon before being locked out
I think windows use the lockout fields on root object (the one with DN=DC=<domain>,DC=<tld>)
>how long you are lcoked out for
The same
>the min password length
Look at the Pwd related fields on the same object
>password complexity
There must be a field for that too, the best idea is to do a ldbsearch on a Windows DC for the base object before setting this policy and the same after setting and do the difference.

>
> Does Samba support event auditing ?
> stuff like privlege use auditing, policy change auditing, account managing auditing. Anything about auditing, I can qurey and find information about
> Logs
>
> Ok so I know there is a standard Samba log. But are there different kinds of logs, application logs, xecurity logs, system logs?
> I think logs would be insightful if there were a Samba wiki page just based on the logs. How they work, log levels.
> Maybe if this doesnt exist I can do this at One point.
> Definitely not before finishing my project though.
We don't have auditing, so I guess when we will have it we can think of 
having a way to set it via GPO.

What is important but missing from your list is the privileges that are 
defined in the GPO. Samba store the privileges in the privilege.ldb

Matthieu.