[Samba] howto install sudo schema
Rowland Penny
rowlandpenny at googlemail.com
Fri Aug 22 04:50:31 MDT 2014
On 21/08/14 23:12, shadrock uhuru wrote:
> Hi all
>> On 21/08/14 19:57, shadrock uhuru wrote:
>>> / Hi all
>> />/
>> />>/ OK, if I replace the the path to sam.ldb & the rootdse (the dc= part) on
>> />>/ the ldbedit command it works, so something is going wrong on your
>> />>/ system, so:
>> />>/
>> />>/ What OS
>> />>/ What version samba4
>> />>/ compiled or distro package
>> />>/ what version ldbtools
>> />>/
>> />>/ You need --kerberos to actually change anything, searching is different.
>> />>/
>> />>/ Rowland
>> />/
>> />/ $ uname -a
>> />/ Linux ashanti 3.15.5-2-ARCH #1 SMP PREEMPT Fri Jul 11 07:55:51 CEST 2014
>> />/ i686 GNU/Linux
>> /This is not your OS, it is your kernel! I think it could be a version of
>> archlinux but not sure.
> sorry the os and version is archlinux 2014-06-01
OK, so I thought that I would install archlinux in a VM and setup an S4
server, add the sudoers OU and see if I could get the
'nTSecurityDescriptor' attribute to show.
[rant on]
I gave up after I discovered that archlinux is one step up from gentoo
and it would probably take me ALL day just to get the damn thing
installed into a usable state before I could even think of installing S4!
Archlinux may be ok for playing with, but in my opinion is no good to
base a server on, you need something that if a disaster happens, you can
get back up again from bare metal asap.
Archlinux sort of reminds me of when I started to play with Linux and
you had to use the 'boot' and 'root' floppy discs, things have moved on
since then, arch seems to want to go back.
Here is my advise Shadrock, take it or leave it, setup a Debian Wheezy
server, install samba from backports, this should take you less than an
hour and you will end up with samba 4.1.11, easier maintenance and more
people to help you if something does go wrong.
[rant off]
Rowland
>>> / $ samba -V
>> />/ Version 4.1.9
>> />/ $ ldbedit -V
>> />/ Version 4.1.9
>> />/ $ ldbsearch -V
>> />/ Version 4.1.9
>> />/ $ samba-tool -V
>> />/ 4.1.9
>> />/
>> />/ samba was installed from a package with the standard command of #pacman
>> />/ -S samba.
>> />/
>> />/ i tried
>> />/ $ sudo ldbedit -e nano -H /etc/samba/private/sam.ldb -b
>> />/ OU=SUDOers,dc=tissisat,dc=co,dc=uk
>> />/ this brought up the editor with this to edit
>> />/
>> />/ # editing 1 records
>> />/ # record 1
>> />/ dn: cn=%wheel,ou=SUDOers,DC=tissisat,DC=co,DC=uk
>> />/ cn: %wheel
>> />/ objectClass: top
>> />/ objectClass: sudoRole
>> />/ sudoCommand: ALL
>> />/ sudoHost: ALL
>> />/ sudoUser: %wheel
>> />/ distinguishedName: cn=%wheel,ou=SUDOers,DC=tissisat,DC=co,DC=uk
>> />/
>> />/ i then tried this
>> />/ $ sudo ldbedit -e nano -H /etc/samba/private/sam.ldb -b
>> />/ OU=SUDOers,dc=tissisat,dc=co,dc=uk -s sub
>> />/ "(&(objectClass=organizationalUnit)(objectCategory=organizationalUnit))"
>> />/ no matching records - cannot edit
>> />/
>> />/ Shadrock
>> /Right, lets find out if you can see the OU:
>>
>> sudo ldbedit -e nano -H /etc/samba/private/sam.ldb ou=SUDOers
> no matching records - cannot edit
>> This should display the entire OU (except the nTSecurityDescriptor
>> attribute)
>>
>> If it does, try this:
>>
>> sudo ldbedit -e nano -H /etc/samba/private/sam.ldb -b
>> OU=SUDOers,dc=tissisat,dc=co,dc=uk -s sub
>> "(objectClass=organizationalUnit)" nTSecurityDescriptor
>>
>> This should display the nTSecurityDescriptor attribute.
>>
>> Just one last thought, you are running kinit as root, aren't you ?
>>
>> Rowland
> i was logged in as an unprivileged user and kinit as administrator and
> then used sudo to run the commands,
> just incase this was a problem i logged in and kinit as root in another
> shell, tried the command without sudo but it still gave me the same error.
>
> Shadrock
More information about the samba
mailing list