[Samba] howto install sudo schema

shadrock uhuru niyalevi at gmail.com
Wed Aug 20 10:16:04 MDT 2014 

> >/ On 17/08/14 04:46, shadrock uhuru wrote:
> />/ >/ Hi all
> />/ />/ i have added the sudo attribute ldif and sudo class ldif files without
> />/ />/ errors,
> />/ />/ the following has also been added without errors.
> />/ />/
> />/ />/ dn: cn=%wheel_rule,ou=SUDOers,DC=tissisat,DC=co,DC=uk
> />/ />/ objectClass: top
> />/ />/ objectClass: sudoRole
> />/ />/ cn: %wheel
> />/ />/ sudoUser: %wheel
> />/ />/ sudoHost: ALL
> />/ />/ sudoCommand: ALL
> />/ />/
> />/ />/ using the info here
> />/ />/ https://www.mail-archive.com/sssd-users@lists.fedorahosted.org/msg01792.html
> />/ />/ i tried to set the acl which gave me these errors
> />/ />/
> />/ />/
> />/ />/ $ sudo samba-tool dsacl set -H /etc/samba/private/sam.ldb
> />/ />/ --objectdn="OU=SUDOers,dc=tissisat,dc=co,dc=uk " --sddl="(A;CI;RPLCRC;;;DC)"
> />/ /This should work but you have an space    ^ here,  provided that sam.ldb 
> />/ is in /etc/samba/private and dc= tissisat,dc=co,dc=uk is your rootdse.
> /the space was a typo error when writing the email but tried again using
> $ sudo samba-tool dsacl set -H /etc/samba/private/sam.ldb
> --objectdn="OU=SUDOers,dc=tissisat,dc=co,dc=uk" --sddl="(A;CI;RPLCRC;;;DC)"
> got the same error.
> >/
> />/ >/ ERROR(ldb): uncaught exception - NULL Base DN invalid for a base search
> />/ />/    File "/usr/lib/python2.7/site-packages/samba/netcmd/__init__.py", line
> />/ />/ 175, in _run
> />/ />/      return self.run(*args, **kwargs)
> />/ />/    File "/usr/lib/python2.7/site-packages/samba/netcmd/dsacl.py", line
> />/ />/ 163, in run
> />/ />/      sid = self.find_trustee_sid(samdb, trusteedn)
> />/ />/    File "/usr/lib/python2.7/site-packages/samba/netcmd/dsacl.py", line
> />/ />/ 88, in find_trustee_sid
> />/ />/      scope=SCOPE_BASE)
> />/ /
> />/ It doesn't seem to like your rootdse, what does
> />/ ldbsearch -H ldap://localhost -s base -b "" defaultNamingContext | grep 
> />/ 'defaultNamingContext:' | sed 's|defaultNamingContext: ||'
> />/
> />/ return ?
> /$ sudo ldbsearch -H ldap://localhost -s base -b "" defaultNamingContext
> |/ grep 'defaultNamingContext:' | sed 's|defaultNamingContext: ||'
> /DC=tissisat,DC=co,DC=uk
> >/
> />/ >/
> />/ />/ $ sudo ldbedit -e nano -H /etc/samba/private/sam.ldb -b
> />/ />/ dc=tissisat,dc=co,dc=uk
> />/ />/ '(&(objectClass=organizationalUnit)(ou=sudoers))' nTSecurityDescriptor
> />/ />/ no matching records - cannot edit
> />/ /
> />/ Try this:
> />/
> />/ sudo ldbedit -e nano -H /etc/samba/private/sam.ldb --kerberos=yes 
> />/ --krb5-ccache=/tmp/krb5cc_0 -b OU=SUDOers,dc=tissisat,dc=co,dc=uk -s sub 
> />/ "(&(objectClass=organizationalUnit)(objectCategory=organizationalUnit))" 
> />/ nTSecurityDescriptor
> /$ sudo ldbedit -e nano -H /etc/samba/private/sam.ldb --kerberos=yes
> --krb5-ccache=/tmp/krb5cc_0 -b OU=SUDOers,dc=tissisat,dc=co,dc=uk -s sub
> "(&(objectClass=organizationalUnit)(objectCategory=organizationalUnit))"
> nTSecurityDescriptor
>
> Invalid option --kerberos=yes: unknown option
> Usage: ldbedit <options> <expression> <attributes ...>
> Usage: [OPTION...]
>   -H, --url=URL                   database URL
>   -b, --basedn=DN                 base DN
>   -e, --editor=PROGRAM            external editor
>   -s, --scope=SCOPE               search scope
>   -v, --verbose                   increase verbosity
>       --trace                     enable tracing
>   -i, --interactive               input from stdin
>   -r, --recursive                 recursive delete
>       --modules-path=PATH         modules path
>       --num-searches=INT          number of test searches
>       --num-records=INT           number of test records
>   -a, --all                       (|(objectClass=*)(distinguishedName=*))
>       --nosync                    non-synchronous transactions
>   -S, --sorted                    sort attributes
>   -o=OPTION                       ldb_connect option
>       --controls=STRING           controls
>       --show-binary               display binary LDIF
>       --paged                     use a paged search
>       --show-deleted              show deleted objects
>       --show-recycled             show recycled objects
>       --show-deactivated-link     show deactivated links
>       --reveal                    reveal ldb internals
>       --relax                     pass relax control
>       --cross-ncs                 search across NC boundaries
>       --extended-dn               show extended DNs
> >/
> />/ Rowland
> />/ >/
> />/ />/ -----------------------------
> />/ />/
> />/ />/ could you detail the ldbsearch commands to list the attribute and class
> />/ />/ details to check that the records have been added correctly ?
> />/ />/ what is the right Base DN to set the acl ?
> />/ />/
> />/ />/ /
> /my samba version is*/
> /*$ samba -V
> Version 4.1.9
>
> /Shadrock

Hi all
i also tried the command without the kerberos options
and still received the following error.

$ sudo ldbedit -e nano -H /etc/samba/private/sam.ldb -b
OU=SUDOers,dc=tissisat,dc=co,dc=uk -s sub
"(&(objectClass=organizationalUnit)(objectCategory=organizationalUnit))"
nTSecurityDescriptor
no matching records - cannot edit

$ sudo ldbsearch -H /etc/samba/private/sam.ldb -b
Cn=%wheel,OU=SUDOers,dc=tissisat,dc=co,dc=uk -s sub ""
# record 1
dn: cn=%wheel,ou=SUDOers,DC=tissisat,DC=co,DC=uk

# returned 1 records
# 1 entries
# 0 referrals

indicates that the sudo schema is in the database,
am i just not referencing the information in the database correctly ?
are the options --kerberos=yes --krb5-ccache
from a earlier version of samba,s ldb utilities ?
i have also seen those options used in the s4bind package.
Shadrock

More information about the samba mailing list