[Samba] Samba 4 "Services for UNIX"? [SOLVED]

Robert Moggach rob at dashing.tv
Wed Jan 9 17:50:55 MST 2013


To get the automount schema to work with the git checkout of samba 4 I had
to modify the automount schema files and separate the attributes from the
classes. I also discovered that it's required to have the
ntSecurityDescriptor , instanceType, and objectCategory attributes. Without
these it will crash whenever you try to browse... I did alot of stopping
samba, tarring of /usr/local/samba and untarring to finally get here...

Here's the ldif for the automount attributes I used:

dn: CN=automountMapName,CN=Schema,CN=Configuration,<DOMAIN>
objectClass: top
objectClass: attributeSchema
attributeID: 1.3.6.1.1.1.1.31
cn: automountMapName
name: automountMapName
lDAPDisplayName: automountMapName
description: automount Map Name
attributeSyntax: 2.5.5.5
oMSyntax: 22
isSingleValued: TRUE
systemOnly: FALSE

dn: CN=automountKey,CN=Schema,CN=Configuration,<DOMAIN>
objectClass: top
objectClass: attributeSchema
attributeID: 1.3.6.1.1.1.1.32
cn: automountKey
name: automountKey
lDAPDisplayName: automountKey
description: Automount Key value
attributeSyntax: 2.5.5.5
oMSyntax: 22
isSingleValued: TRUE
systemOnly: FALSE

dn: CN=automountInformation,CN=Schema,CN=Configuration,<DOMAIN>
objectClass: top
objectClass: attributeSchema
attributeID: 1.3.6.1.1.1.1.33
cn: automountInformation
name: automountInformation
lDAPDisplayName: automountInformation
description: Automount information
attributeSyntax: 2.5.5.5
oMSyntax: 22<DOMAIN>
isSingleValued: TRUE
systemOnly: FALSE

 Here's the ldif for the automount classes:

dn: CN=automountMap,CN=Schema,CN=Configuration,<DOMAIN>
objectClass: top
objectClass: classSchema
governsID: 1.3.6.1.1.1.2.16
cn: automountMap
name: automountMap
lDAPDisplayName: automountMap
subClassOf: top
objectClassCategory: 1
mustContain: automountMapName
mayContain: description
mustContain: instanceType
mustContain: ntSecurityDescriptor
mustContain: objectCategory
defaultObjectCategory: CN=automountMap,CN=Schema,CN=Configuration,<DOMAIN>
defaultHidingValue: TRUE
systemOnly: FALSE

dn: CN=automount,CN=Schema,CN=Configuration,<DOMAIN>
objectClass: top
objectClass: classSchema
governsID: 1.3.6.1.1.1.2.17
cn: automount
name: automount
lDAPDisplayName: automount
subClassOf: top
objectClassCategory: 1
description: Automount information
mustContain: automountKey
mustContain: automountInformation
mayContain: description
mustContain: instanceType
mustContain: ntSecurityDescriptor
mustContain: objectCategory
defaultObjectCategory: CN=automount,CN=Schema,CN=Configuration,<DOMAIN>
defaultHidingValue: TRUE
systemOnly: FALSE

 These were added to the directory using the following commands:

ldbmodify -H /usr/local/samba/private/sam.ldb
/root/SAMBA4/automount/01_attr.ldif --option="dsdb:schema update
allowed"=true
ldbmodify -H /usr/local/samba/private/sam.ldb
/root/SAMBA4/automount/02_class.ldif --option="dsdb:schema update
allowed"=true

 Now here's what I did for the actual records. First I created a new OU
tree called Automounts and then three OU's beneath that for Mac, Linux,
Homeless. Mac uses auto_master and linux uses auto.master but I prefer to
have them in separate branches.

Here's a sample record:

dn: automountMapName=auto_master,OU=Mac,OU=Automounts,<DOMAIN>
objectClass: automountMap
objectClass: top
automountMapName: auto_master
description: Mac OS X Master Autofs map
ntSecurityDescriptor:O:BAG:SYD:(A;;0xf01ff;;;S-1-5-21-1698313198-1485347608-3860200556-500)(A;;0xf01ff;;;SY)(A;;0x20094;;;AU)
ObjectCategory: CN=automountMap,CN=Schema,CN=Configuration,<DOMAIN>
instanceType: 4


These couldn't be added with the above string so instead I used the
following:

 ldbmodify -H /usr/local/samba/private/sam.ldb.d/DC\=<DOMAIN>.ldb -U
administrator 03_smb_maps.ldif

 To understand the ntSecurityDescriptor attribute I had to learn all about
SDDL syntax and then by trial and error realize I needed to use hex format.
The following links were invaluable.

http://www.netid.washington.edu/documentation/domains/sddl.aspxhttp://networkadminkb.com/KB/a152/how-to-read-a-sddl-string.aspxhttp://www.windowsitpro.com/article/security/defining-an-ad-object-s-default-security-descriptor

 Further... this little python snippet helped me remember how to add hex
....

#!/usr/bin/python

GA=int('0x10000000',0)
GR=int('0x10000000',0)
GW=int('0x10000000',0)
GX=int('0x10000000',0)
RC=int('0x20000',0)
SD=int('0x10000',0)
WD=int('0x40000',0)
WO=int('0x80000',0)
RP=int('0x00000010',0)
WP=int('0x00000020',0)
CC=int('0x00000001',0)
DC=int('0x00000002',0)
LC=int('0x00000004',0)
SW=int('0x00000008',0)
LO=int('0x00000080',0)
DT=int('0x00000040',0)
CR=int('0x00000100',0)

PERMS = {
    'All Perms ': RC+SD+WD+WO+RP+WP+CC+DC+LC+SW+LO+DT+CR,
    'Read Only ': RP+LC+LO+RC
}

for key,value in PERMS.items():
    print key, value, hex(value)


I hope this helps others to avoid frustration.

Rob




On Wed, Jan 9, 2013 at 2:23 PM, Robert Moggach <rob at dashing.tv> wrote:

> I have a little more information about the issues I'm having:
>
> When I try to create automountMap or automount objects in the directory
> using Apache Directory Studio it fails because I need to add the following
> attributes:
>
> instanceType
> ntSecurityDescriptor
> objectCategory
>
> Can someone enlighten me on the correct value for these attributes?
>
> thanks,
>
> Rob
>
>
>
> On Tue, Jan 8, 2013 at 6:43 PM, Robert Moggach <rob at dashing.tv> wrote:
>
>> I've solved getting the schema into the directory... and I thought I
>> populated my automount maps...
>> but the directory is unbrowseable -
>>
>> Getting closer... I keep getting the following error:
>>
>> *acl_read: cannot get descriptor of automountMap... etc. etc.*
>>
>>
>> Steps I took...
>> 1) I had changed the Default-First-Site-Name to something more
>> appropriate and changing that back seemed like a good place to start even
>> though fsmo was showing me as the SchemaMaster -
>>
>> 2) At this point I was able to get the schema loaded... almost... ldapadd
>> didn't like attributes and class in the same ldif... and then I had to
>> restart samba to add the class file... ugh... use ldbmodify! I edited the
>> automount.ldif schema file to be two files - one for the attributes and a
>> second for the classes
>>
>> I added the schema using the following two commands:
>>
>> ldbmodify -H /usr/local/samba/private/sam.ldb
>> /root/SAMBA4/automount/autofs_attr.ldif --option="dsdb:schema update
>> allowed"=true
>>
>> ldbmodify -H /usr/local/samba/private/sam.ldb
>> /root/SAMBA4/automount/autofs_class.ldif --option="dsdb:schema update
>> allowed"=true
>>
>> 4) I then tried to add the automount records with ldbmodify with no luck
>> ...
>> ldbmodify -H /usr/local/samba/private/sam.ldb
>> /root/SAMBA4/automount/03_autofs_maps.ldif
>> ...
>> Sorting rpmd with attid exception 3 rDN=CN
>> DN=CN=linux,CN=autofs,CN=Services,DC=MYDOMAIN
>> ERR: (Naming violation) "objectclass: Invalid RDN 'AUTOMOUNTMAPNAME' for
>> objectclass 'automountMap'!" on DN
>> automountMapName=auto_master,CN=mac,CN=autofs,CN=Services,DC=MYDOMAIN at
>> block before line 41
>> Modify failed after processing 5 records
>>
>> Weird... solved that by doing the following, but now i have all kinds of
>> acl_read errors
>>
>> ldbmodify -H /usr/local/samba/private/sam.ldb.d/DC\=MYDOMAIN.ldb
>> 03_autofs_maps.ldif
>>
>> ldapsearch gives me the following:
>>
>> result: 1 Operations errorsearch: 5
>> result: 1 Operations error
>> text: acl_read: cannot get descriptor of automountMapName=...
>>
>> weird? how do I add acls?
>>
>> The following shows the whole directory as expected... but I need ldap to
>> work for autofs!
>>
>> ldbsearch -H /usr/local/samba/private/sam.ldb
>>
>> So can someone tell me how to get acls added for my objects?
>>
>>
>>
>>
>> Samba version: 4.1.0pre1-GIT-94f11e9
>> Build environment:
>>    Build host:  Linux crawford 2.6.32-279.19.1.el6.x86_64 #1 SMP Wed Dec
>> 19 07:05:20 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
>>
>>
>>
>>
>>
>


More information about the samba mailing list