[Samba] samba-tool using domain users

Marc Muehlfeld mmuehlfeld at samba.org
Fri Oct 16 15:42:25 UTC 2015 

Hello Yosel,

Am 16.10.2015 um 15:09 schrieb Yosel Lazaro Vera Gonzalez:
> For example, I tried the following command:
> samba-tool user create jhon p at assword -U mike
> Then, the user is created without authenticate the user mike
> Another command that I need execute with authentication is "samba-tool fsmo transfer".
> 
> That's all the point of an AD domain : )
> If any user could make change into AD database, the product would not be
> too much secure.


[root at DC1 ~]# samba-tool user add xxx01 mypw -U mike
User 'xxx01' created successfully

If you run exactly the above command as "root", the account is created,
because it's done directly in sam.ldb. -U is ignored in that case. If
you do the same as a user, it will fail, because sam.ldb is (hopefully)
not writeable for anyone else than root on your system. Example:

[mike at DC1 root]$ samba-tool user add xxx02 mypw -U mike
ltdb: tdb(/usr/local/samba/private/sam.ldb): tdb_open_ex: could not open
file /usr/local/samba/private/sam.ldb: Permission denied

Unable to open tdb '/usr/local/samba/private/sam.ldb': Permission denied
Failed to connect to 'tdb:///usr/local/samba/private/sam.ldb' with
backend 'tdb': Unable to open tdb '/usr/local/samba/private/sam.ldb':
Permission denied
ERROR(ldb): Failed to add user 'xxx02':  - Unable to open tdb
'/usr/local/samba/private/sam.ldb': Permission denied



However you can create users via the LDAP interface, too (This is what,
e. g. ADUC does). In this case it doesn't matter, who runs the command.
Important is, that the -U account has permission inside the AD, to
create the object. Examples:

[mike at DC1 root]$ samba-tool user add xxx02 mypw -U administrator -H
ldap://DC1
Password for [SAMDOM\administrator]:
User 'xxx02' created successfully



[mikeDC1 root]$ samba-tool user add xxx02 mypw -U mike -H ldap://DC1
Password for [SAMDOM\mike]:
Password for [SAMDOM\mike]:
Password for [SAMDOM\mike]:
Wrong username or password: kinit for mike at SAMDOM.EXAMPLE.COM failed
(Preauthentication failed)

SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS -
<SASL:[GSS-SPNEGO]: NT_STATUS_LOGON_FAILURE> <>
Failed to connect to 'ldap://DC1' with backend 'ldap': (null)
ERROR(ldb): Failed to add user 'xxx02':  - None




Anyone here who wants to write a patch for the boring samba-tool manpage
or for the "samba-tool user add --help" output? I think some background
information and better examples would be good for both.


Regards,
Marc

More information about the samba mailing list