[Samba] Samba as a PDC with LDAP and Kerberos

Ti Leggett leggett at ci.uchicago.edu
Mon May 2 20:45:25 GMT 2005 

So I'm still doing something wrong. I now have a root sambaSamAccount in
my directory with the PrimaryGroupSID of the Domain Admins SID. The ldap
admin dn can write to the directory. From my PDC I can do the following
successfully:

net -S localhost rpc join (Success)
smbpasswd -a -w pdc (Success and pdc$ added to the LDAP machine group
wiht password)

However the following fails:

net -S localhost rpc rights grant "CI\Domain Admins"
SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege
SeDiskOperatorPrivilege SeRemoteShutdownPrivilege

Reading through the logs, everything appears to be fine until it goes to
assign privileges. Here's a snip from the logs (log level = 10):

[2005/05/02 12:09:43, 7] rpc_parse/parse_prs.c:prs_debug(82)
          000152 smb_io_unistr2 string
[2005/05/02 12:09:43, 5] rpc_parse/parse_prs.c:prs_uint32(642)
              0154 uni_max_len: 00000019
[2005/05/02 12:09:43, 5] rpc_parse/parse_prs.c:prs_uint32(642)
              0158 offset     : 00000000
[2005/05/02 12:09:43, 5] rpc_parse/parse_prs.c:prs_uint32(642)
              015c uni_str_len: 00000019
[2005/05/02 12:09:43, 5] rpc_parse/parse_prs.c:dbg_rw_punival(814)
              0160 buffer     :
S.e.R.e.m.o.t.e.S.h.u.t.d.o.w.n.P.r.i.v.i.l.e.g.e.
[2005/05/02 12:09:43, 4]
rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(162)
  Found policy hnd[0] [000] 00 00 00 00 03 00 00 00  00 00 00 00 D7 5E
76 42  ........ .....^vB
  [010] 3E 31 00 00                                       >1..
[2005/05/02 12:09:43, 5] rpc_parse/parse_prs.c:prs_debug(82)
  000000 lsa_io_r_add_acct_rights
[2005/05/02 12:09:43, 5] rpc_parse/parse_prs.c:prs_ntstatus(672)
      0000 status: NT_STATUS_ACCESS_DENIED

The LDAP logs show everything successful and there's no MODs trying to
occur.

Below is my smb.conf

[global]
        security = user
        log level = 10
        log file = /var/log/samba/samba.log
        workgroup = CI
        netbios name = PDC
        server string = Primary Domain Controller
        private dir = /var/lib/samba/private
        passdb backend = ldapsam:ldap://ldap.example.com
        domain logons = Yes
        os level = 33
        preferred master = Yes
        domain master = Yes
        enable privileges = Yes
        hosts allow = none
        ldap admin dn =
uid=samba_server,ou=people,o=ci,dc=example,dc=com
        ldap group suffix = ou=group
        ldap machine suffix = ou=hosts,ou=samba
        ldap suffix = o=ci,dc=uchicago,dc=edu
        ldap ssl = start tls
        ldap user suffix = ou=people

[netlogon]
        path = /var/lib/samba/netlogon
        browseable = No

[profiles]
        path = /var/lib/samba/profiles
        read only = No
        create mask = 0600
        directory mask = 0700

On Wed, 2005-04-27 at 15:07 -0400, Josh Kelley wrote:
> leggett at ci.uchicago.edu wrote:
> 
> >So I think I have the steps needed to get this all working, but I think I
> >have a chicken/egg problem now.
> >  
> >
> <snip>
> 
> >So, is there a way to get it to a point where a normal user in the Domain
> >Admins group can join machine and add Samba Accounts, etc without
> >requiring a uid 0 user to be in LDAP.
> >  
> >
> The sambaSamAccount entry for root needs to be in the LDAP directory, 
> but the rest of the account doesn't.  We have an entry for the root 
> account in our LDAP directory that only has the following non-Samba 
> attributes defined:
> 
> dn: uid=root,dc=jbc,dc=edu
> objectClass: account
> objectClass: sambaSamAccount
> uid: root
> displayName: root
> cn: root
> 
> Although this technically means that there is a uid 0 user in LDAP, it's 
> only a uid 0 user as far as Samba is concerned; Linux/Unix won't 
> recognize the LDAP portion of the root account as being a valid user.
> 
>  From what I've read, this setup won't work if you set ldapsam:trusted = 
> yes in smb.conf, but it will work long enough to assign privileges then 
> set ldapsam:trusted.
> 
> >Also, what pieces are really needed to join a machine to the Samba Domain.
> >And what and who needs to be able to read/write LDAP for this to happen?
> >
> >Pieces I've identified so far. Things starting with '?' I'm not sure about.
> >
> >- Domain Users, Domain Admins, and Domain Guests groups exist with valid
> >sambaSIDs (posixGroup and sambaGroupMapping)
> >- Domain Admins group has the SeMachineAccountPrivilege privilege
> >  
> >
> Correct.
> 
> >- a sambaDomainName object with a valid sambaSID
> >  
> >
> It's a sambaDomain object, not a sambaDomainName object.  I'm pretty 
> sure that Samba will create this for you if it doesn't exist.
> 
> >- a user (posixAccount and sambaSamAccount) who has a valid uid, sambaSID,
> >whose SID is in the the Domain Admins sambaSIDList
> >  
> >
> Correct.
> 
> >? A machine user (posixAccount sambaSamAccount) with a valid uid and
> >sambaSID and whose parent LDAP tree is listed as a passwd search path for
> >NSS
> >  
> >
> Generally unnecessary.  Although you can create it yourself, it's easier 
> to set up an add machine script (such as that provided by the Idealx 
> smbldap-tools, if you're using those) and let it take care of this for 
> you.  Chapter 6 of the Samba-HOWTO has more information on how machine 
> trust accounts are created.
> 
> >My last question is this. Does the above user listed above have to have
> >write access to the LDAP directory or does only the samba user whose
> >password is stored in private/secrets.tdb need write access to the
> >directory?
> >  
> >
> Only the Samba user (whoever you specify as the ldap admin dn) needs 
> write access.
> 
> >Because I'm using Kerberos as my authentication scheme, in order to write
> >to the directory you must have an admin principal (userfoo/admin).
> >However, these principals should not be in LDAP with UIDs because they're
> >never used in that aspect.
> >  
> >
> Sorry, I'm not familiar with Kerberos.
> 
> Josh Kelley
>

More information about the samba mailing list