[Samba] AD / new auxiliary class / vb script

[Hervé Hénoch]

Hello Matthieu,

1) Yes is a typo sorry.

2) ldbsearch -H ldap://<dc_ip> --cross-ncs '(ldapdisplayname=iscA)'  -U 
<admin>%<password>  give (have to authenticate if it is not work) :
# record 1
dn: CN=iscA,CN=Schema,CN=Configuration,DC=sc,DC=isc84,DC=org
objectClass: top
objectClass: classSchema
cn: iscA
instanceType: 4
whenCreated: 20120523130147.0Z
whenChanged: 20120523130147.0Z
uSNCreated: 5642
subClassOf: top
governsID: 1.2.840.113556.1.8000.2554.999999.1
mayContain: iscA1
rDNAttID: cn
showInAdvancedViewOnly: TRUE
objectClassCategory: 3
lDAPDisplayName: iscA
name: iscA
objectGUID: 39a53446-19e6-4f67-a280-14fce546e475
schemaIDGUID: f0a54822-d855-40b1-8afd-421933f5824d
defaultSecurityDescriptor: 
D:(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;DA)(A;;RPWPC
  RCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)
objectCategory: 
CN=Class-Schema,CN=Schema,CN=Configuration,DC=sc,DC=isc84,DC=o rg
defaultObjectCategory: 
CN=iscA,CN=Schema,CN=Configuration,DC=sc,DC=isc84,DC=org
uSNChanged: 5643
distinguishedName: CN=iscA,CN=Schema,CN=Configuration,DC=sc,DC=isc84,DC=org

# returned 1 records
# 1 entries
# 0 referrals

3) ldbsearch -H ldap://dc_ip --cross-ncs '(auxiliaryClass=iscA)'  -U 
<admin>%<password>  give
# record 1
dn: CN=User,CN=Schema,CN=Configuration,DC=sc,DC=isc84,DC=org
objectClass: top
objectClass: classSchema
cn: User
instanceType: 4
whenCreated: 20120523124800.0Z
uSNCreated: 1787
subClassOf: organizationalPerson
governsID: 1.2.840.113556.1.5.9
mayContain: msSFU30NisDomain
mayContain: msSFU30Name
mayContain: msDS-SourceObjectDN
mayContain: x500uniqueIdentifier
mayContain: userSMIMECertificate
mayContain: userPKCS12
mayContain: uid
mayContain: secretary
mayContain: roomNumber
mayContain: preferredLanguage
mayContain: photo
mayContain: labeledURI
mayContain: jpegPhoto
mayContain: homePostalAddress
mayContain: givenName
mayContain: employeeType
mayContain: employeeNumber
mayContain: displayName
mayContain: departmentNumber
mayContain: carLicense
mayContain: audio
rDNAttID: cn
showInAdvancedViewOnly: TRUE
adminDisplayName: User
adminDescription: User
objectClassCategory: 1
lDAPDisplayName: user
name: User
objectGUID: 399ff624-5ec8-4379-8f6a-09cdf0bd0594
schemaIDGUID: bf967aba-0de6-11d0-a285-00aa003049e2
systemOnly: FALSE
systemPossSuperiors: builtinDomain
systemPossSuperiors: organizationalUnit
systemPossSuperiors: domainDNS
systemMayContain: msTSPrimaryDesktop
systemMayContain: msTSSecondaryDesktops
systemMayContain: msPKI-CredentialRoamingTokens
systemMayContain: msDS-ResultantPSO
systemMayContain: msTSLSProperty01
systemMayContain: msTSLSProperty02
systemMayContain: msTSManagingLS2
systemMayContain: msTSManagingLS3
systemMayContain: msTSManagingLS4
systemMayContain: msTSLicenseVersion2
systemMayContain: msTSLicenseVersion3
systemMayContain: msTSLicenseVersion4
systemMayContain: msTSExpireDate2
systemMayContain: msTSExpireDate3
systemMayContain: msTSExpireDate4
systemMayContain: msDS-AuthenticatedAtDC
systemMayContain: msDS-UserPasswordExpiryTimeComputed
systemMayContain: msTSManagingLS
systemMayContain: msTSLicenseVersion
systemMayContain: msTSExpireDate
systemMayContain: msTSProperty02
systemMayContain: msTSProperty01
systemMayContain: msTSInitialProgram
systemMayContain: msTSWorkDirectory
systemMayContain: msTSDefaultToMainPrinter
systemMayContain: msTSConnectPrinterDrives
systemMayContain: msTSConnectClientDrives
systemMayContain: msTSBrokenConnectionAction
systemMayContain: msTSReconnectionAction
systemMayContain: msTSMaxIdleTime
systemMayContain: msTSMaxConnectionTime
systemMayContain: msTSMaxDisconnectionTime
systemMayContain: msTSRemoteControl
systemMayContain: msTSAllowLogon
systemMayContain: msTSHomeDrive
systemMayContain: msTSHomeDirectory
systemMayContain: msTSProfilePath
systemMayContain: msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon
systemMayContain: msDS-FailedInteractiveLogonCount
systemMayContain: msDS-LastFailedInteractiveLogonTime
systemMayContain: msDS-LastSuccessfulInteractiveLogonTime
systemMayContain: msRADIUS-SavedFramedIpv6Route
systemMayContain: msRADIUS-FramedIpv6Route
systemMayContain: msRADIUS-SavedFramedIpv6Prefix
systemMayContain: msRADIUS-FramedIpv6Prefix
systemMayContain: msRADIUS-SavedFramedInterfaceId
systemMayContain: msRADIUS-FramedInterfaceId
systemMayContain: msPKIAccountCredentials
systemMayContain: msPKIDPAPIMasterKeys
systemMayContain: msPKIRoamingTimeStamp
systemMayContain: msDS-SupportedEncryptionTypes
systemMayContain: msDS-SecondaryKrbTgtNumber
systemMayContain: pager
systemMayContain: o
systemMayContain: mobile
systemMayContain: manager
systemMayContain: mail
systemMayContain: initials
systemMayContain: homePhone
systemMayContain: businessCategory
systemMayContain: userCertificate
systemMayContain: userWorkstations
systemMayContain: userSharedFolderOther
systemMayContain: userSharedFolder
systemMayContain: userPrincipalName
systemMayContain: userParameters
systemMayContain: userAccountControl
systemMayContain: unicodePwd
systemMayContain: terminalServer
systemMayContain: servicePrincipalName
systemMayContain: scriptPath
systemMayContain: pwdLastSet
systemMayContain: profilePath
systemMayContain: primaryGroupID
systemMayContain: preferredOU
systemMayContain: otherLoginWorkstations
systemMayContain: operatorCount
systemMayContain: ntPwdHistory
systemMayContain: networkAddress
systemMayContain: msRASSavedFramedRoute
systemMayContain: msRASSavedFramedIPAddress
systemMayContain: msRASSavedCallbackNumber
systemMayContain: msRADIUSServiceType
systemMayContain: msRADIUSFramedRoute
systemMayContain: msRADIUSFramedIPAddress
systemMayContain: msRADIUSCallbackNumber
systemMayContain: msNPSavedCallingStationID
systemMayContain: msNPCallingStationID
systemMayContain: msNPAllowDialin
systemMayContain: mSMQSignCertificatesMig
systemMayContain: mSMQSignCertificates
systemMayContain: mSMQDigestsMig
systemMayContain: mSMQDigests
systemMayContain: msIIS-FTPRoot
systemMayContain: msIIS-FTPDir
systemMayContain: msDS-User-Account-Control-Computed
systemMayContain: msDS-Site-Affinity
systemMayContain: mS-DS-CreatorSID
systemMayContain: msDS-Cached-Membership-Time-Stamp
systemMayContain: msDS-Cached-Membership
systemMayContain: msDRM-IdentityCertificate
systemMayContain: msCOM-UserPartitionSetLink
systemMayContain: maxStorage
systemMayContain: logonWorkstation
systemMayContain: logonHours
systemMayContain: logonCount
systemMayContain: lockoutTime
systemMayContain: localeID
systemMayContain: lmPwdHistory
systemMayContain: lastLogonTimestamp
systemMayContain: lastLogon
systemMayContain: lastLogoff
systemMayContain: homeDrive
systemMayContain: homeDirectory
systemMayContain: groupsToIgnore
systemMayContain: groupPriority
systemMayContain: groupMembershipSAM
systemMayContain: dynamicLDAPServer
systemMayContain: desktopProfile
systemMayContain: defaultClassStore
systemMayContain: dBCSPwd
systemMayContain: controlAccessRights
systemMayContain: codePage
systemMayContain: badPwdCount
systemMayContain: badPasswordTime
systemMayContain: adminCount
systemMayContain: aCSPolicyName
systemMayContain: accountExpires
systemAuxiliaryClass: securityPrincipal
systemAuxiliaryClass: mailRecipient
defaultSecurityDescriptor: 
D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCD
  CLCLORCWOWDSDDTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)(A;;RPLCLORC;;;PS)
  (OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a54-1e2f-11d0-9
  819-00aa0040529b;;PS)(OA;;CR;ab721a56-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;RP
  WP;77B5B886-944A-11d1-AEBD-0000F80367C1;;PS)(OA;;RPWP;E45795B2-9455-11d1-AEBD
  -0000F80367C1;;PS)(OA;;RPWP;E45795B3-9455-11d1-AEBD-0000F80367C1;;PS)(OA;;RP;
  037088f8-0ae1-11d2-b422-00a0c968f939;;RS)(OA;;RP;4c164200-20c0-11d0-a768-00aa
  006e0529;;RS)(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;;RS)(A;;RC;;;AU)(OA
  ;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;;AU)(OA;;RP;77B5B886-944A-11d1-AEBD
  -0000F80367C1;;AU)(OA;;RP;E45795B3-9455-11d1-AEBD-0000F80367C1;;AU)(OA;;RP;e4
  8d0154-bcf8-11d1-8702-00c04fb96050;;AU)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa00
  40529b;;WD)(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;;RS)(OA;;RPWP;bf967a7
  f-0de6-11d0-a285-00aa003049e2;;CA)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d
  2;;S-1-5-32-560)(OA;;WPRP;6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32-561)
  (OA;;WPRP;5805bc62-bdc9-4428-a5e2-856a0f4c185e;;S-1-5-32-561)
systemFlags: 16
defaultHidingValue: FALSE
objectCategory: 
CN=Class-Schema,CN=Schema,CN=Configuration,DC=sc,DC=isc84,DC=org
defaultObjectCategory: 
CN=Person,CN=Schema,CN=Configuration,DC=sc,DC=isc84,DC=org
auxiliaryClass: shadowAccount
auxiliaryClass: posixAccount
*auxiliaryClass: iscA*
whenChanged: 20120523130208.0Z
uSNChanged: 5644
distinguishedName: CN=User,CN=Schema,CN=Configuration,DC=sc,DC=isc84,DC=org

# returned 1 records
# 1 entries
# 0 referrals

4) Script with unixHomeDirectory

It is ok with "unixHomeDirectory", no error message, last value is 
printed on the inputbox ...

Now I will read the wiki ...




>> user.SetInfo/
>>
>> After the execution of this script the right-click above run and I 
>> can modify the value of iscA1 attribute for user toto.
>> But I can't see the last value (given by /user.iscA1/) : always empty 
>> while in the LDAP database I can see the value is correctly set.
>>
>> Two questions :
>>
>> 1) Why the first script fail ? Why must I execute the second script 
>> first ?
>>
>> 2) Why can't i see the last value of iscA1 when I run the first script ?
>
> As you are using auxiliarly class this should work, can we check a few 
> things:
>
> 1) What is the ouput of ldbsearch -H ldap://dc_ip --cross-ncs 
> '(ldapdisplayname=iscA)'
> 2) What is the output of ldbsearch -H ldap://dc_ip --cross-ncs 
> '(auxiliaryClass=iscA)'
>
> We might have a bug in the way the auxiliary class is registered to 
> its parent class.
>
> Could you make a test with you script to set the unixHomeDirectory, 
> it's also linked the user objectclass with the posixaccount auxiliary 
> class.
>
> Would be good to trace also the whole stuff, see
> https://wiki.samba.org/index.php/Capture_Packets
> https://wiki.samba.org/index.php/Keytab_Extraction
>
> In how to make capture and extract keytab in order to be able to 
> decrypt encrypted traffic.
>
>
> Matthieu
>