[Samba] howto install sudo schema

Rowland Penny rowlandpenny at googlemail.com
Wed Aug 13 02:55:35 MDT 2014


On 13/08/14 01:28, shadrock uhuru wrote:
> Hi everyone
>
> i wish to add the Microsoft Active Directory schema from the sudo
> package to my samba4 ADC,
> from what i have researched this is what i should do,
> the Microsoft Active Directory schema and the instructions are from the
> sudo package,
> the sudo_user file is an example from the man page.
>
> ldbadd -H /etc/samba/private/sam.ldb \
>        schema.ActiveDirectory \
>        --option="dsdb:schema update allowed"=true

I would use ldbmodify instead of ldbadd and would also give the full 
path to the ldif.

>
> does the schema need any modifications before i add it to samba?

Oh yes, it might work with windows, but on samba4 you need to remove all 
the un-required bits, that includes this:

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

Split the ldif in two, one part containing the attributes, the other the 
objectClass.
Add the attributes first, then the objectClass
Oh, and you have to stop samba4 before you update the schema.

> The following example allows users in group wheel to run any command on
> any host via sudo,
> dc=example,dc=com will be changed to refer to my domain.
>
> $ cat sudo_user
>
>      dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
>      objectClass: top
>      objectClass: sudoRole
>      cn: %wheel
>      sudoUser: %wheel
>      sudoHost: ALL
>      sudoCommand: ALL
>
> ldbadd -H /etc/samba/private/sam.ldb sudo_user \
>        --option="dsdb:schema update allowed"=true
>
Use ldbmodify and the full path to the ldif and you do not need the 
'--option' , you are not modifying the schema.

> and how do i index the 'sudoUser' attribute?
Just what do you mean by 'index' ? do you mean as in allowing access to 
the sudo rules or how to pull the rules from AD.

Rowland
> all corrections welcome.
>
> Shadrock



More information about the samba mailing list