[Samba] samba4 pdc: Import sudoers active directory schema to ldb

Aaron Johnson acjohnson at pcdomain.com
Sat Dec 7 15:58:14 MST 2013


I was able to extend my samba 4 schema very simply by importing the schema.ActiveDirectory file that comes with the sudo source code in the doc/ folder.

In order to do this you first need to make the schema writable by adding this to one of your samba 4 domain controllers smb.conf global section:

dsdb:schema update allowed = yes

and then restart samba.

Then you can import the schema ldif from a windows computer that has been joined to the domain and be sure to be logged in with administrative rights:

ldifde -i -f schema.ActiveDirectory -c dc=X dc=YOURDOMAIN,DC=COM

This is the output that you should get when you run the command:

Connecting to "dc01.domain.com"
Logging in as current user using SSPI
Importing directory from file "schema.ActiveDirectory"
Lazy commit support not available on the server, lazy commit will be disabled.
Loading entries.............
12 entries modified successfully.

The command has completed successfully

FYI - I am using Samba 4 on Debian Jessie (testing currently) because the packages appear to be less broken than in Wheezy and I won't have to deal with the package name change as the samba package in Jessie is simply 'samba'.

Aaron Johnson

------------------------------------------------------------------------

Any updates on this? I am thinking this schema is lacking the sudoers base cn like in openldap we have ou=SUDOERS,cn=...

From:mad-proffessor at hotmail.com  <https://lists.samba.org/mailman/listinfo/samba-technical>
To:samba at lists.samba.org  <https://lists.samba.org/mailman/listinfo/samba-technical>
CC:samba-technical at lists.samba.org  <https://lists.samba.org/mailman/listinfo/samba-technical>
Subject: RE: [Samba] samba4 pdc: Import sudoers active directory schema to ldb
Date: Sun, 30 Jun 2013 17:36:16 +0300






>/  Date: Sun, 30 Jun 2013 06:49:26 +0200
/>/  From:geza at kzsdabas.hu  <https://lists.samba.org/mailman/listinfo/samba-technical>
/>/  To:samba at lists.samba.org  <https://lists.samba.org/mailman/listinfo/samba-technical>;mad-proffessor at hotmail.com  <https://lists.samba.org/mailman/listinfo/samba-technical>
/>/  CC:samba-technical at lists.samba.org  <https://lists.samba.org/mailman/listinfo/samba-technical>
/>/  Subject: Re: [Samba] samba4 pdc: Import sudoers active directory schema to ldb
/>/  
/>/  2013-06-29 11:00 keltezéssel, george Nopicture írta:
/>/  > Hi guys and congrats for bringing a fantastic project to the open source world. I' ve setup a samba4 pdc succefully and i am able to do domain logins. I was also able to add the automount schema into the ldb. But when it comes to sudoers schema i cant import it in.
/>/  > Further system details:
/>/  > Debian wheezy 7,
/>/  > samba 4.0.6 compiled from source,
/>/  > sudo-ldap standard binary package from repos.
/>/  > I have split the sudoers active directory schema that came with sudo to 2 ldifs(classSchema apart from attributeSchema) and tried to import them in but  i had no luck. I googled around but came up nothing about it.
/>/  > This is the error i get:
/>/  > ERR: (Invalid attribute syntax) "LDAP error 21 LDAP_INVALID_ATTRIBUTE_SYNTAX -  <0000200B: objectclass_attrs: attribute 'mayContain' on entry 'CN=sudoRole,CN=Schema,CN=Configuration,DC=example,DC=com' contains at least one invalid value!> <>" on DN CN=sudoRole,CN=Schema,CN=Configuration,DC=example,DC=com at block before line 31.
/>/  >
/>/  >   		 	   		
/>/  First: I've cc-ed samba-technical as extending the schema is still an
/>/  experimental feature.
/>/  Second: it would be helpful to be able to look at the ldif files you try
/>/  to load (messages like block before line 31 doesn't make too much sense
/>/  without it)
/>/  
/>/  Regards
/>/  
/>/  Geza Gemes
/
Hello, it appears that i have directly sent you some emails at your
personal email address, sorry for that.I am attaching the 2 files for the list and i am
also posting their contents here.

sudoers-class.ldif:

dn: CN=sudoRole,CN=Schema,CN=Configuration,DC=example,DC=com
objectClass: top
objectClass: classSchema
cn: sudoRole
distinguishedName: CN=sudoRole,CN=Schema,CN=Configuration,DC=example,DC=com
instanceType: 4
possSuperiors: container
possSuperiors: top
subClassOf: top
governsID: 1.3.6.1.4.1.15953.9.2.1
mayContain: sudoUser
mayContain: sudoHost
mayContain: sudoCommand
mayContain: sudoRunAs
mayContain: sudoOption
mayContain: sudoRunAsUser
mayContain: sudoRunAsGroup
mayContain: sudoNotBefore
mayContain: sudoNotAfter
mayContain: sudoOrder
rDNAttID: cn
showInAdvancedViewOnly: FALSE
adminDisplayName: sudoRole
adminDescription: Sudoer Entries
objectClassCategory: 1
lDAPDisplayName: sudoRole
name: sudoRole
schemaIDGUID:: SQn432lnZ0+ukbdh3+gN3w==
systemOnly: FALSE
objectCategory: CN=Class-Schema,CN=Schema,CN=Configuration,DC=example,DC=com
defaultObjectCategory: CN=sudoRole,CN=Schema,CN=Configuration,DC=example,DC=com


sudoers.ldif

dn: CN=sudoUser,CN=Schema,CN=Configuration,DC=example,DC=com
objectClass: top
objectClass: attributeSchema
cn: sudoUser
distinguishedName: CN=sudoUser,CN=Schema,CN=Configuration,DC=example,DC=com
instanceType: 4
attributeID: 1.3.6.1.4.1.15953.9.1.1
attributeSyntax: 2.5.5.5
isSingleValued: FALSE
showInAdvancedViewOnly: TRUE
adminDisplayName: sudoUser
adminDescription: User(s) who may run sudo
oMSyntax: 22
searchFlags: 1
lDAPDisplayName: sudoUser
name: sudoUser
schemaIDGUID:: JrGcaKpnoU+0s+HgeFjAbg==
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=example,DC=com

dn: CN=sudoHost,CN=Schema,CN=Configuration,DC=example,DC=com
objectClass: top
objectClass: attributeSchema
cn: sudoHost
distinguishedName: CN=sudoHost,CN=Schema,CN=Configuration,DC=example,DC=com
instanceType: 4
attributeID: 1.3.6.1.4.1.15953.9.1.2
attributeSyntax: 2.5.5.5
isSingleValued: FALSE
showInAdvancedViewOnly: TRUE
adminDisplayName: sudoHost
adminDescription: Host(s) who may run sudo
oMSyntax: 22
lDAPDisplayName: sudoHost
name: sudoHost
schemaIDGUID:: d0TTjg+Y6U28g/Y+ns2k4w==
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=example,DC=com

dn: CN=sudoCommand,CN=Schema,CN=Configuration,DC=example,DC=com
objectClass: top
objectClass: attributeSchema
cn: sudoCommand
distinguishedName: CN=sudoCommand,CN=Schema,CN=Configuration,DC=example,DC=com
instanceType: 4
attributeID: 1.3.6.1.4.1.15953.9.1.3
attributeSyntax: 2.5.5.5
isSingleValued: FALSE
showInAdvancedViewOnly: TRUE
adminDisplayName: sudoCommand
adminDescription: Command(s) to be executed by sudo
oMSyntax: 22
lDAPDisplayName: sudoCommand
name: sudoCommand
schemaIDGUID:: D6QR4P5UyUen3RGYJCHCPg==
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=example,DC=com

dn: CN=sudoRunAs,CN=Schema,CN=Configuration,DC=example,DC=com
objectClass: top
objectClass: attributeSchema
cn: sudoRunAs
distinguishedName: CN=sudoRunAs,CN=Schema,CN=Configuration,DC=example,DC=com
instanceType: 4
attributeID: 1.3.6.1.4.1.15953.9.1.4
attributeSyntax: 2.5.5.5
isSingleValued: FALSE
showInAdvancedViewOnly: TRUE
adminDisplayName: sudoRunAs
adminDescription: User(s) impersonated by sudo (deprecated)
oMSyntax: 22
lDAPDisplayName: sudoRunAs
name: sudoRunAs
schemaIDGUID:: CP98mCQTyUKKxGrQeM80hQ==
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=example,DC=com

dn: CN=sudoOption,CN=Schema,CN=Configuration,DC=example,DC=com
objectClass: top
objectClass: attributeSchema
cn: sudoOption
distinguishedName: CN=sudoOption,CN=Schema,CN=Configuration,DC=example,DC=com
instanceType: 4
attributeID: 1.3.6.1.4.1.15953.9.1.5
attributeSyntax: 2.5.5.5
isSingleValued: FALSE
showInAdvancedViewOnly: TRUE
adminDisplayName: sudoOption
adminDescription: Option(s) followed by sudo
oMSyntax: 22
lDAPDisplayName: sudoOption
name: sudoOption
schemaIDGUID:: ojaPzBBlAEmsvrHxQctLnA==
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=example,DC=com

dn: CN=sudoRunAsUser,CN=Schema,CN=Configuration,DC=example,DC=com
objectClass: top
objectClass: attributeSchema
cn: sudoRunAsUser
distinguishedName: CN=sudoRunAsUser,CN=Schema,CN=Configuration,DC=example,DC=com
instanceType: 4
attributeID: 1.3.6.1.4.1.15953.9.1.6
attributeSyntax: 2.5.5.5
isSingleValued: FALSE
showInAdvancedViewOnly: TRUE
adminDisplayName: sudoRunAsUser
adminDescription: User(s) impersonated by sudo
oMSyntax: 22
lDAPDisplayName: sudoRunAsUser
name: sudoRunAsUser
schemaIDGUID:: 9C52yPYd3RG3jMR2VtiVkw==
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=example,DC=com

dn: CN=sudoRunAsGroup,CN=Schema,CN=Configuration,DC=example,DC=com
objectClass: top
objectClass: attributeSchema
cn: sudoRunAsGroup
distinguishedName: CN=sudoRunAsGroup,CN=Schema,CN=Configuration,DC=example,DC=com
instanceType: 4
attributeID: 1.3.6.1.4.1.15953.9.1.7
attributeSyntax: 2.5.5.5
isSingleValued: FALSE
showInAdvancedViewOnly: TRUE
adminDisplayName: sudoRunAsGroup
adminDescription: Groups(s) impersonated by sudo
oMSyntax: 22
lDAPDisplayName: sudoRunAsGroup
name: sudoRunAsGroup
schemaIDGUID:: xJhSt/Yd3RGJPTB1VtiVkw==
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=example,DC=com

dn: CN=sudoNotBefore,CN=Schema,CN=Configuration,DC=example,DC=com
objectClass: top
objectClass: attributeSchema
cn: sudoNotBefore
distinguishedName: CN=sudoNotBefore,CN=Schema,CN=Configuration,DC=example,DC=com
instanceType: 4
attributeID: 1.3.6.1.4.1.15953.9.1.8
attributeSyntax: 1.3.6.1.4.1.1466.115.121.1.24
isSingleValued: TRUE
showInAdvancedViewOnly: TRUE
adminDisplayName: sudoNotBefore
adminDescription: Start of time interval for which the entry is valid
oMSyntax: 22
lDAPDisplayName:  sudoNotBefore
name: sudoNotBefore
schemaIDGUID:: xJhSt/Yd3RGJPTB1VtiVkw==
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=example,DC=com

dn: CN=sudoNotAfter,CN=Schema,CN=Configuration,DC=example,DC=com
objectClass: top
objectClass: attributeSchema
cn: sudoNotAfter
distinguishedName: CN=sudoNotAfter,CN=Schema,CN=Configuration,DC=example,DC=com
instanceType: 4
attributeID: 1.3.6.1.4.1.15953.9.1.9
attributeSyntax: 1.3.6.1.4.1.1466.115.121.1.24
isSingleValued: TRUE
showInAdvancedViewOnly: TRUE
adminDisplayName: sudoNotAfter
adminDescription: End of time interval for which the entry is valid
oMSyntax: 22
lDAPDisplayName:  sudoNotAfter
name: sudoNotAfter
schemaIDGUID:: xJhSt/Yd3RGJPTB1VtiVkw==
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=example,DC=com

dn: CN=sudoOrder,CN=Schema,CN=Configuration,DC=example,DC=com
objectClass: top
objectClass: attributeSchema
cn: sudoOrder
distinguishedName: CN=sudoOrder,CN=Schema,CN=Configuration,DC=example,DC=com
instanceType: 4
attributeID: 1.3.6.1.4.1.15953.9.1.10
attributeSyntax: 1.3.6.1.4.1.1466.115.121.1.27
isSingleValued: TRUE
showInAdvancedViewOnly: TRUE
adminDisplayName: sudoOrder
adminDescription: an integer to order the sudoRole entries
oMSyntax: 22
lDAPDisplayName:  sudoOrder
name: sudoOrder
schemaIDGUID:: xJhSt/Yd3RGJPTB1VtiVkw==
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=example,DC=com


Thanks, George



More information about the samba-technical mailing list