[Samba] Fwd: Migrating server

Harry Jede walk2sun at arcor.de
Mon Mar 5 13:44:47 UTC 2018 

Am Montag, 5. März 2018, 14:22:13 CET schrieb Harry Jede via samba:
> Am Montag, 5. März 2018, 22:16:36 CET schrieb Rob Thoman:
> > Hi Gruss,
> > 
> > At this stage there is only one server, running 3.6.25 on
> > Ubuntu12.04. The plan to get LDAP to work on this one. Then add the
> > second server 4.x and the promote it to BDC and then demote this
> > one.  Just a side info, we didn't want to go tdbsam in both as I
> > read it breaks the domain trust.
> > 
> > The domain names are real ones.
> > 
> > I ran the commands you suggested, nothing in reply.  I tried
> > ldapi://
> > and ldap://sam3dc.mydomain .
> 
> you are using ubuntu, which use debian slapd packages, so ldapi must
>  work. The advantage of ldapi: You can access your ldap server as unix
> root user vi sasl external authentication. So this two switches must
> be used:
> 
> -Y EXTERNAL
> -H ldapi:///
> 
> 3 examples returning only the dn:
> 
> very long version (default):
> -----
> # SID=S-1-5-21-1507708399-2130971284-2230424465 ldapsearch -Y 
EXTERNAL
> -H ldapi:/// -b dc=afrika,dc=xx -s sub "sambasid=$SID-500" dn
> SASL/EXTERNAL authentication started
> SASL username: 
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> SASL SSF: 0
> # extended LDIF
> #
> # LDAPv3
> # base <dc=afrika,dc=xx> with scope subtree
> # filter: sambasid=S-1-5-21-1507708399-2130971284-2230424465-500
> # requesting: dn
> #
> 
> # Administrator, people, accounts, afrika.xx
> dn: uid=Administrator,ou=people,ou=accounts,dc=afrika,dc=xx
> 
> # search result
> search: 2
> result: 0 Success
> 
> # numResponses: 2
> # numEntries: 1
> -----
> 
> short version (without ldif messages):
> -----
> # SID=S-1-5-21-1507708399-2130971284-2230424465 ldapsearch -LLLY
> EXTERNAL -H ldapi:/// -b dc=afrika,dc=xx -s sub "sambasid=$SID-500"
> dn SASL/EXTERNAL authentication started
> SASL username: 
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> SASL SSF: 0
> dn: uid=Administrator,ou=people,ou=accounts,dc=afrika,dc=xx
> 
> -----
> very short version (without ldif and sasl messages):
> -----
> # SID=S-1-5-21-1507708399-2130971284-2230424465 ldapsearch -LLLY
> EXTERNAL -H ldapi:/// -b dc=afrika,dc=xx -s sub "sambasid=$SID-500"
> dn 2>/dev/null dn:
> uid=Administrator,ou=people,ou=accounts,dc=afrika,dc=xx
> 
> The last version is best for scripting. The SASL messages show
>  that the user with uidnumber 0 and gidnumber 0, aka root:root
>  has been authenticated.
> 
> 
> ldap://sam3dc.mydomain must work with -D and -W or -w secret
> # SID=S-1-5-21-1507708399-2130971284-2230424465 ldapsearch -xLLL 
-D
> uid=Administrator,ou=people,ou=accounts,dc=afrika,dc=xx -W -b
> dc=afrika,dc=xx -s sub "sambasid=$SID-500" dn Enter LDAP Password:
> dn: uid=Administrator,ou=people,ou=accounts,dc=afrika,dc=xx
> 
> > Let me run through what I did ,
> > /etc/ldap/ldap.conf:
> > BASE    dc=mydomain
> > URI     ldap://sam3dc.mydomain
> > TLS_CACERT /etc/ldap/ca_certs.pem
> > 
> > Imported the samba.ldif from the 3.6.25 binaries.
> > 
> > Imported the indices
> > 
> > dn: olcDatabase={1}hdb,cn=config
> > changetype: modify
> > add: olcDbIndex
> > olcDbIndex: ou eq
> > olcDbIndex: mail eq
> > olcDbIndex: surname eq
> > olcDbIndex: givenname eq
> > olcDbIndex: loginShell eq
> > olcDbIndex: uniqueMember eq,pres
> > olcDbIndex: sambaSID eq
> > olcDbIndex: sambaPrimaryGroupSID eq
> > olcDbIndex: sambaGroupType eq
> > olcDbIndex: sambaSIDList eq
> > olcDbIndex: sambaDomainName eq
> > olcDbIndex: default sub
> > olcDbIndex: nisMapName eq
> > olcDbIndex: nisMapEntry eq
> > add: olcAccess
> > olcAccess: to attrs=loginShell by dn="cn=admin,dc=mydomain" write 
by
> > self write by * read
> > olcAccess: to
> > 
attrs=sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwd
MustCh
> > an ge by dn="cn=admin,dc=mydomain" write by self write by * none
> Here I retrieve the access for openldap as root user.
>  This works even I dont know  the admin password.
> 
> # ldapsearch -LLLY External -H ldapi:/// -b cn=config -s sub
> 'olcaccess=*' olcaccess SASL/EXTERNAL authentication started
> SASL username: 
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> SASL SSF: 0
> dn: olcDatabase={-1}frontend,cn=config
> olcAccess: {0}to * by
> dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external 
,cn=auth
> manage by * break
> olcAccess: {1}to dn.exact="" by * read
> olcAccess: {2}to dn.base="cn=Subschema" by * read
> 
> dn: olcDatabase={0}config,cn=config
> olcAccess: {0}to * by
> dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external 
,cn=auth
> manage by * break
> 
> dn: olcDatabase={1}hdb,cn=config

More information about the samba mailing list