[Samba] howto install sudo schema

Rowland Penny rowlandpenny at googlemail.com
Sun Aug 17 02:44:29 MDT 2014 

On 17/08/14 04:46, shadrock uhuru wrote:
> Hi all
> i have added the sudo attribute ldif and sudo class ldif files without
> errors,
> the following has also been added without errors.
>
> dn: cn=%wheel_rule,ou=SUDOers,DC=tissisat,DC=co,DC=uk
> objectClass: top
> objectClass: sudoRole
> cn: %wheel
> sudoUser: %wheel
> sudoHost: ALL
> sudoCommand: ALL
>
> using the info here
> https://www.mail-archive.com/sssd-users@lists.fedorahosted.org/msg01792.html
> i tried to set the acl which gave me these errors
>
>
> $ sudo samba-tool dsacl set -H /etc/samba/private/sam.ldb
> --objectdn="OU=SUDOers,dc=tissisat,dc=co,dc=uk " --sddl="(A;CI;RPLCRC;;;DC)"
This should work but you have an space    ^ here,  provided that sam.ldb 
is in /etc/samba/private and dc= tissisat,dc=co,dc=uk is your rootdse.

> ERROR(ldb): uncaught exception - NULL Base DN invalid for a base search
>    File "/usr/lib/python2.7/site-packages/samba/netcmd/__init__.py", line
> 175, in _run
>      return self.run(*args, **kwargs)
>    File "/usr/lib/python2.7/site-packages/samba/netcmd/dsacl.py", line
> 163, in run
>      sid = self.find_trustee_sid(samdb, trusteedn)
>    File "/usr/lib/python2.7/site-packages/samba/netcmd/dsacl.py", line
> 88, in find_trustee_sid
>      scope=SCOPE_BASE)

It doesn't seem to like your rootdse, what does
ldbsearch -H ldap://localhost -s base -b "" defaultNamingContext | grep 
'defaultNamingContext:' | sed 's|defaultNamingContext: ||'

return ?

>
> $ sudo ldbedit -e nano -H /etc/samba/private/sam.ldb -b
> dc=tissisat,dc=co,dc=uk
> '(&(objectClass=organizationalUnit)(ou=sudoers))' nTSecurityDescriptor
> no matching records - cannot edit

Try this:

sudo ldbedit -e nano -H /etc/samba/private/sam.ldb --kerberos=yes 
--krb5-ccache=/tmp/krb5cc_0 -b OU=SUDOers,dc=tissisat,dc=co,dc=uk -s sub 
"(&(objectClass=organizationalUnit)(objectCategory=organizationalUnit))" 
nTSecurityDescriptor

Rowland
>
> -----------------------------
>
> could you detail the ldbsearch commands to list the attribute and class
> details to check that the records have been added correctly ?
> what is the right Base DN to set the acl ?
>
> Shadrock

More information about the samba mailing list