[Samba] howto install sudo schema
shadrock uhuru
niyalevi at gmail.com
Wed Aug 20 10:16:04 MDT 2014
> >/ On 17/08/14 04:46, shadrock uhuru wrote:
> />/ >/ Hi all
> />/ />/ i have added the sudo attribute ldif and sudo class ldif files without
> />/ />/ errors,
> />/ />/ the following has also been added without errors.
> />/ />/
> />/ />/ dn: cn=%wheel_rule,ou=SUDOers,DC=tissisat,DC=co,DC=uk
> />/ />/ objectClass: top
> />/ />/ objectClass: sudoRole
> />/ />/ cn: %wheel
> />/ />/ sudoUser: %wheel
> />/ />/ sudoHost: ALL
> />/ />/ sudoCommand: ALL
> />/ />/
> />/ />/ using the info here
> />/ />/ https://www.mail-archive.com/sssd-users@lists.fedorahosted.org/msg01792.html
> />/ />/ i tried to set the acl which gave me these errors
> />/ />/
> />/ />/
> />/ />/ $ sudo samba-tool dsacl set -H /etc/samba/private/sam.ldb
> />/ />/ --objectdn="OU=SUDOers,dc=tissisat,dc=co,dc=uk " --sddl="(A;CI;RPLCRC;;;DC)"
> />/ /This should work but you have an space ^ here, provided that sam.ldb
> />/ is in /etc/samba/private and dc= tissisat,dc=co,dc=uk is your rootdse.
> /the space was a typo error when writing the email but tried again using
> $ sudo samba-tool dsacl set -H /etc/samba/private/sam.ldb
> --objectdn="OU=SUDOers,dc=tissisat,dc=co,dc=uk" --sddl="(A;CI;RPLCRC;;;DC)"
> got the same error.
> >/
> />/ >/ ERROR(ldb): uncaught exception - NULL Base DN invalid for a base search
> />/ />/ File "/usr/lib/python2.7/site-packages/samba/netcmd/__init__.py", line
> />/ />/ 175, in _run
> />/ />/ return self.run(*args, **kwargs)
> />/ />/ File "/usr/lib/python2.7/site-packages/samba/netcmd/dsacl.py", line
> />/ />/ 163, in run
> />/ />/ sid = self.find_trustee_sid(samdb, trusteedn)
> />/ />/ File "/usr/lib/python2.7/site-packages/samba/netcmd/dsacl.py", line
> />/ />/ 88, in find_trustee_sid
> />/ />/ scope=SCOPE_BASE)
> />/ /
> />/ It doesn't seem to like your rootdse, what does
> />/ ldbsearch -H ldap://localhost -s base -b "" defaultNamingContext | grep
> />/ 'defaultNamingContext:' | sed 's|defaultNamingContext: ||'
> />/
> />/ return ?
> /$ sudo ldbsearch -H ldap://localhost -s base -b "" defaultNamingContext
> |/ grep 'defaultNamingContext:' | sed 's|defaultNamingContext: ||'
> /DC=tissisat,DC=co,DC=uk
> >/
> />/ >/
> />/ />/ $ sudo ldbedit -e nano -H /etc/samba/private/sam.ldb -b
> />/ />/ dc=tissisat,dc=co,dc=uk
> />/ />/ '(&(objectClass=organizationalUnit)(ou=sudoers))' nTSecurityDescriptor
> />/ />/ no matching records - cannot edit
> />/ /
> />/ Try this:
> />/
> />/ sudo ldbedit -e nano -H /etc/samba/private/sam.ldb --kerberos=yes
> />/ --krb5-ccache=/tmp/krb5cc_0 -b OU=SUDOers,dc=tissisat,dc=co,dc=uk -s sub
> />/ "(&(objectClass=organizationalUnit)(objectCategory=organizationalUnit))"
> />/ nTSecurityDescriptor
> /$ sudo ldbedit -e nano -H /etc/samba/private/sam.ldb --kerberos=yes
> --krb5-ccache=/tmp/krb5cc_0 -b OU=SUDOers,dc=tissisat,dc=co,dc=uk -s sub
> "(&(objectClass=organizationalUnit)(objectCategory=organizationalUnit))"
> nTSecurityDescriptor
>
> Invalid option --kerberos=yes: unknown option
> Usage: ldbedit <options> <expression> <attributes ...>
> Usage: [OPTION...]
> -H, --url=URL database URL
> -b, --basedn=DN base DN
> -e, --editor=PROGRAM external editor
> -s, --scope=SCOPE search scope
> -v, --verbose increase verbosity
> --trace enable tracing
> -i, --interactive input from stdin
> -r, --recursive recursive delete
> --modules-path=PATH modules path
> --num-searches=INT number of test searches
> --num-records=INT number of test records
> -a, --all (|(objectClass=*)(distinguishedName=*))
> --nosync non-synchronous transactions
> -S, --sorted sort attributes
> -o=OPTION ldb_connect option
> --controls=STRING controls
> --show-binary display binary LDIF
> --paged use a paged search
> --show-deleted show deleted objects
> --show-recycled show recycled objects
> --show-deactivated-link show deactivated links
> --reveal reveal ldb internals
> --relax pass relax control
> --cross-ncs search across NC boundaries
> --extended-dn show extended DNs
> >/
> />/ Rowland
> />/ >/
> />/ />/ -----------------------------
> />/ />/
> />/ />/ could you detail the ldbsearch commands to list the attribute and class
> />/ />/ details to check that the records have been added correctly ?
> />/ />/ what is the right Base DN to set the acl ?
> />/ />/
> />/ />/ /
> /my samba version is*/
> /*$ samba -V
> Version 4.1.9
>
> /Shadrock
Hi all
i also tried the command without the kerberos options
and still received the following error.
$ sudo ldbedit -e nano -H /etc/samba/private/sam.ldb -b
OU=SUDOers,dc=tissisat,dc=co,dc=uk -s sub
"(&(objectClass=organizationalUnit)(objectCategory=organizationalUnit))"
nTSecurityDescriptor
no matching records - cannot edit
$ sudo ldbsearch -H /etc/samba/private/sam.ldb -b
Cn=%wheel,OU=SUDOers,dc=tissisat,dc=co,dc=uk -s sub ""
# record 1
dn: cn=%wheel,ou=SUDOers,DC=tissisat,DC=co,DC=uk
# returned 1 records
# 1 entries
# 0 referrals
indicates that the sudo schema is in the database,
am i just not referencing the information in the database correctly ?
are the options --kerberos=yes --krb5-ccache
from a earlier version of samba,s ldb utilities ?
i have also seen those options used in the s4bind package.
Shadrock
More information about the samba
mailing list