[Samba] howto install sudo schema

Rowland Penny rowlandpenny at googlemail.com
Fri Aug 22 02:04:21 MDT 2014


On 21/08/14 23:12, shadrock uhuru wrote:
> Hi all
>> On 21/08/14 19:57, shadrock uhuru wrote:
>>> / Hi all
>> />/
>> />>/ OK, if I replace the the path to sam.ldb & the rootdse (the dc= part) on
>> />>/ the ldbedit command it works, so something is going wrong on your
>> />>/ system, so:
>> />>/
>> />>/ What OS
>> />>/ What version samba4
>> />>/ compiled or distro package
>> />>/ what version ldbtools
>> />>/
>> />>/ You need --kerberos to actually change anything, searching is different.
>> />>/
>> />>/ Rowland
>> />/
>> />/ $ uname -a
>> />/ Linux ashanti 3.15.5-2-ARCH #1 SMP PREEMPT Fri Jul 11 07:55:51 CEST 2014
>> />/ i686 GNU/Linux
>> /This is not your OS, it is your kernel! I think it could be a version of
>> archlinux but not sure.
> sorry the os and version is archlinux 2014-06-01
>
>>> / $ samba -V
>> />/ Version 4.1.9
>> />/ $ ldbedit -V
>> />/ Version 4.1.9
>> />/ $ ldbsearch -V
>> />/ Version 4.1.9
>> />/ $ samba-tool -V
>> />/ 4.1.9
>> />/
>> />/ samba was installed from a package with the standard command of #pacman
>> />/ -S samba.
>> />/
>> />/ i tried
>> />/ $ sudo ldbedit -e nano -H /etc/samba/private/sam.ldb -b
>> />/ OU=SUDOers,dc=tissisat,dc=co,dc=uk
>> />/ this brought up the editor with this to edit
>> />/
>> />/ # editing 1 records
>> />/ # record 1
>> />/ dn: cn=%wheel,ou=SUDOers,DC=tissisat,DC=co,DC=uk
>> />/ cn: %wheel
>> />/ objectClass: top
>> />/ objectClass: sudoRole
>> />/ sudoCommand: ALL
>> />/ sudoHost: ALL
>> />/ sudoUser: %wheel
>> />/ distinguishedName: cn=%wheel,ou=SUDOers,DC=tissisat,DC=co,DC=uk
>> />/
>> />/ i then tried this
>> />/ $ sudo ldbedit -e nano -H /etc/samba/private/sam.ldb -b
>> />/ OU=SUDOers,dc=tissisat,dc=co,dc=uk -s sub
>> />/ "(&(objectClass=organizationalUnit)(objectCategory=organizationalUnit))"
>> />/ no matching records - cannot edit
>> />/
>> />/ Shadrock
>> /Right, lets find out if you can see the OU:
>>
>> sudo ldbedit -e nano -H /etc/samba/private/sam.ldb ou=SUDOers
> no matching records - cannot edit
>> This should display the entire OU (except the nTSecurityDescriptor
>> attribute)
>>
>> If it does, try this:
>>
>> sudo ldbedit -e nano -H /etc/samba/private/sam.ldb -b
>> OU=SUDOers,dc=tissisat,dc=co,dc=uk -s sub
>> "(objectClass=organizationalUnit)" nTSecurityDescriptor
>>
>> This should display the nTSecurityDescriptor attribute.
>>
>> Just one last thought, you are running kinit as root, aren't you ?
>>
>> Rowland
> i was logged in as an unprivileged user and kinit as administrator and
> then used sudo to run the commands,
> just incase this was a problem i logged in and kinit as root in another
> shell, tried the command without sudo but it still gave me the same error.
>
> Shadrock
Hi, If running:

ldbedit -e nano -H /etc/samba/private/sam.ldb -b 
OU=SUDOers,dc=tissisat,dc=co,dc=uk -s sub 
"(objectClass=organizationalUnit)" nTSecurityDescriptor

Doesn't result in something similar to this:

# editing 1 records
# record 1
dn: OU=SUDOers,DC=example,DC=com
nTSecurityDescriptor: 
O:DAG:DAD:AI(A;CI;RPLCRC;;;DC)(A;;RPWPCRCCDCLCLORCWOWDSD
  DTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(OA;;CCDC;bf967a86-0de6-11d0-a2
  85-00aa003049e2;;AO)(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)(OA;;C
  CDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967aa8-0de6-11d0-a28
  5-00aa003049e2;;PO)(A;;RPLCLORC;;;AU)(A;;RPLCLORC;;;ED)(OA;;CCDC;4828cc14-143
  7-45bc-9b07-ad6f015e5f28;;AO)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e05
  29;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;4c164200-20c0-11d0-a
  768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;5f2020
  10-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CI
  IOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa0030
  49e2;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc
  -9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf96
  7aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c
  04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;59ba2f42-79a2
  -11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP
  ;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU
  )(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-0
  0aa003049e2;RU)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0d
  e6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f6
  08;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-8
  54e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RPLCLORC;
  ;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RPLCLORC;;bf967a9c-0de6-1
  1d0-a285-00aa003049e2;RU)(OA;CIIOID;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003
  049e2;RU)(OA;CIID;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;CIID;RPW
  PCRCCDCLCLORCWOWDSDDTSW;;;EA)(A;CIID;LC;;;RU)(A;CIID;RPWPCRCCLCLORCWOWDSDSW;;
  ;BA)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0
  -a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf96
  7aa5-0de6-11d0-a285-00aa003049e2;WD)

Then I am lost, as I said, if I take the same command and run it 
(altering it only to suit my setup) I get the above. the 
'nTSecurityDescriptor' attribute has to be explicitly asked for before 
it will be shown.

Can you get ldbedit to display the OU ?

Rowland



More information about the samba mailing list