[Samba] howto install sudo schema
Rowland Penny
rowlandpenny at googlemail.com
Wed Aug 20 10:38:59 MDT 2014
On 20/08/14 17:16, shadrock uhuru wrote:
>>> / On 17/08/14 04:46, shadrock uhuru wrote:
>> />/ >/ Hi all
>> />/ />/ i have added the sudo attribute ldif and sudo class ldif files without
>> />/ />/ errors,
>> />/ />/ the following has also been added without errors.
>> />/ />/
>> />/ />/ dn: cn=%wheel_rule,ou=SUDOers,DC=tissisat,DC=co,DC=uk
>> />/ />/ objectClass: top
>> />/ />/ objectClass: sudoRole
>> />/ />/ cn: %wheel
>> />/ />/ sudoUser: %wheel
>> />/ />/ sudoHost: ALL
>> />/ />/ sudoCommand: ALL
>> />/ />/
>> />/ />/ using the info here
>> />/ />/ https://www.mail-archive.com/sssd-users@lists.fedorahosted.org/msg01792.html
>> />/ />/ i tried to set the acl which gave me these errors
>> />/ />/
>> />/ />/
>> />/ />/ $ sudo samba-tool dsacl set -H /etc/samba/private/sam.ldb
>> />/ />/ --objectdn="OU=SUDOers,dc=tissisat,dc=co,dc=uk " --sddl="(A;CI;RPLCRC;;;DC)"
>> />/ /This should work but you have an space ^ here, provided that sam.ldb
>> />/ is in /etc/samba/private and dc= tissisat,dc=co,dc=uk is your rootdse.
>> /the space was a typo error when writing the email but tried again using
>> $ sudo samba-tool dsacl set -H /etc/samba/private/sam.ldb
>> --objectdn="OU=SUDOers,dc=tissisat,dc=co,dc=uk" --sddl="(A;CI;RPLCRC;;;DC)"
>> got the same error.
>>> /
>> />/ >/ ERROR(ldb): uncaught exception - NULL Base DN invalid for a base search
>> />/ />/ File "/usr/lib/python2.7/site-packages/samba/netcmd/__init__.py", line
>> />/ />/ 175, in _run
>> />/ />/ return self.run(*args, **kwargs)
>> />/ />/ File "/usr/lib/python2.7/site-packages/samba/netcmd/dsacl.py", line
>> />/ />/ 163, in run
>> />/ />/ sid = self.find_trustee_sid(samdb, trusteedn)
>> />/ />/ File "/usr/lib/python2.7/site-packages/samba/netcmd/dsacl.py", line
>> />/ />/ 88, in find_trustee_sid
>> />/ />/ scope=SCOPE_BASE)
>> />/ /
>> />/ It doesn't seem to like your rootdse, what does
>> />/ ldbsearch -H ldap://localhost -s base -b "" defaultNamingContext | grep
>> />/ 'defaultNamingContext:' | sed 's|defaultNamingContext: ||'
>> />/
>> />/ return ?
>> /$ sudo ldbsearch -H ldap://localhost -s base -b "" defaultNamingContext
>> |/ grep 'defaultNamingContext:' | sed 's|defaultNamingContext: ||'
>> /DC=tissisat,DC=co,DC=uk
>>> /
>> />/ >/
>> />/ />/ $ sudo ldbedit -e nano -H /etc/samba/private/sam.ldb -b
>> />/ />/ dc=tissisat,dc=co,dc=uk
>> />/ />/ '(&(objectClass=organizationalUnit)(ou=sudoers))' nTSecurityDescriptor
>> />/ />/ no matching records - cannot edit
>> />/ /
>> />/ Try this:
>> />/
>> />/ sudo ldbedit -e nano -H /etc/samba/private/sam.ldb --kerberos=yes
>> />/ --krb5-ccache=/tmp/krb5cc_0 -b OU=SUDOers,dc=tissisat,dc=co,dc=uk -s sub
>> />/ "(&(objectClass=organizationalUnit)(objectCategory=organizationalUnit))"
>> />/ nTSecurityDescriptor
>> /$ sudo ldbedit -e nano -H /etc/samba/private/sam.ldb --kerberos=yes
>> --krb5-ccache=/tmp/krb5cc_0 -b OU=SUDOers,dc=tissisat,dc=co,dc=uk -s sub
>> "(&(objectClass=organizationalUnit)(objectCategory=organizationalUnit))"
>> nTSecurityDescriptor
>>
>> Invalid option --kerberos=yes: unknown option
>> Usage: ldbedit <options> <expression> <attributes ...>
>> Usage: [OPTION...]
>> -H, --url=URL database URL
>> -b, --basedn=DN base DN
>> -e, --editor=PROGRAM external editor
>> -s, --scope=SCOPE search scope
>> -v, --verbose increase verbosity
>> --trace enable tracing
>> -i, --interactive input from stdin
>> -r, --recursive recursive delete
>> --modules-path=PATH modules path
>> --num-searches=INT number of test searches
>> --num-records=INT number of test records
>> -a, --all (|(objectClass=*)(distinguishedName=*))
>> --nosync non-synchronous transactions
>> -S, --sorted sort attributes
>> -o=OPTION ldb_connect option
>> --controls=STRING controls
>> --show-binary display binary LDIF
>> --paged use a paged search
>> --show-deleted show deleted objects
>> --show-recycled show recycled objects
>> --show-deactivated-link show deactivated links
>> --reveal reveal ldb internals
>> --relax pass relax control
>> --cross-ncs search across NC boundaries
>> --extended-dn show extended DNs
>>> /
>> />/ Rowland
>> />/ >/
>> />/ />/ -----------------------------
>> />/ />/
>> />/ />/ could you detail the ldbsearch commands to list the attribute and class
>> />/ />/ details to check that the records have been added correctly ?
>> />/ />/ what is the right Base DN to set the acl ?
>> />/ />/
>> />/ />/ /
>> /my samba version is*/
>> /*$ samba -V
>> Version 4.1.9
>>
>> /Shadrock
> Hi all
> i also tried the command without the kerberos options
> and still received the following error.
>
> $ sudo ldbedit -e nano -H /etc/samba/private/sam.ldb -b
> OU=SUDOers,dc=tissisat,dc=co,dc=uk -s sub
> "(&(objectClass=organizationalUnit)(objectCategory=organizationalUnit))"
> nTSecurityDescriptor
> no matching records - cannot edit
>
> $ sudo ldbsearch -H /etc/samba/private/sam.ldb -b
> Cn=%wheel,OU=SUDOers,dc=tissisat,dc=co,dc=uk -s sub ""
> # record 1
> dn: cn=%wheel,ou=SUDOers,DC=tissisat,DC=co,DC=uk
>
> # returned 1 records
> # 1 entries
> # 0 referrals
>
> indicates that the sudo schema is in the database,
> am i just not referencing the information in the database correctly ?
> are the options --kerberos=yes --krb5-ccache
> from a earlier version of samba,s ldb utilities ?
> i have also seen those options used in the s4bind package.
> Shadrock
>
OK, if I replace the the path to sam.ldb & the rootdse (the dc= part) on
the ldbedit command it works, so something is going wrong on your
system, so:
What OS
What version samba4
compiled or distro package
what version ldbtools
You need --kerberos to actually change anything, searching is different.
Rowland
More information about the samba
mailing list