[Samba] Adding users with ldif file

Rowland penny rpenny at samba.org
Sat Jul 18 15:55:02 UTC 2020


On 18/07/2020 16:51, RhineDevil wrote:
> Sat, 18 Jul 2020 15:31:36 +0100 Rowland penny via samba <samba at lists.samba.org>:
>> On 18/07/2020 15:19, RhineDevil wrote:
>>> Sat, 18 Jul 2020 14:53:26 +0100 Rowland penny via samba <samba at lists.samba.org>:
>>>> On 18/07/2020 14:47, RhineDevil wrote:
>>>>> Sat, 18 Jul 2020 14:41:31 +0100 Rowland penny via samba <samba at lists.samba.org>:
>>>>>> On 18/07/2020 14:30, RhineDevil wrote:
>>>>>>> Sat, 18 Jul 2020 14:19:25 +0100 Rowland penny via samba <samba at lists.samba.org>:
>>>>>>>> On 18/07/2020 13:52, RhineDevil wrote:
>>>>>>>>> Fri, 17 Jul 2020 19:44:37 +0100 Rowland penny via samba <samba at lists.samba.org>:
>>>>>>>>>> On 17/07/2020 19:31, RhineDevil via samba wrote:
>>>>>>>>>>> And by that I mean, where are the dbs, what should I rm -rf?
>>>>>>>>>> On Debian just remove /var/lib/samba and /var/cache/samba
>>>>>>>>>>> By the way how do I obtain current machine netbios name?
>>>>>>>>>> Depends on which netbios name, if you are referring to the one that is
>>>>>>>>>> in smb.conf 'netbios name = ?????', that is just the short hostname in
>>>>>>>>>> uppercase. If you are referring to the netbios domain name (aka
>>>>>>>>>> workgroup) then you can find this with wbinfo:
>>>>>>>>>>
>>>>>>>>>> wbinfo --own-domain
>>>>>>>>>>
>>>>>>>>>> Rowland
>>>>>>>>>>
>>>>>>>>> I tried to add ypServ30 using ldapi socket "ldapi://%2Fvar%2Flib%2Fsamba%2Fprivate%2Fldap_priv%2Fldapi, it said
>>>>>>>>>
>>>>>>>>> `ERR: insufficient access rights : "LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS <acl: unable to get access to CN=ypServ30,CN=RpcServices,CN=System,DC=mydomain,DC=mytld> <>" on DN CN=ypServ30,CN=RpcServices,CN=System,DC=mydomain,DC=mytld at block before line 5`
>>>>>>>>>
>>>>>>>>> Shouldn't give me access by default if I'm using the private system socket?
>>>>>>>> No, you still need to authenticate as a user with the required
>>>>>>>> permissions e.g. Administrator
>>>>>>>>
>>>>>>>> Also, as you are trying to update the schema, you will need to add
>>>>>>>> '/--option="dsdb:schema update allowed"=true' to the ldbmodify command/
>>>>>>>>
>>>>>>>> /Rowland/
>>>>>>>>
>>>>>>> Since I'm (g)root how could I avoid inputting any password at all?
>>>>>>> Should be possible since samba-tool never asks you a password as root
>>>>>> Then do what samba-tool does, fall back to the computers kerberos ticket
>>>>>> and add '-P' to the ldbmodify command
>>>>>>> Also what's the point of having a more private socket in /var/lib/samba/private/ldap_priv/ldapi if it asks auth credential like the "less private" socket /var/lib/samba/private/ldapi?
>>>>>> Even more security ;-)
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>> I've already added -P to ldbmodify, what am I missing, how should I do that?
>>>> Sorry, I realised after I posted that, it only works for searching, you
>>>> will have to authenticate, this is nothing to do with Samba, it is a
>>>> Windows thing, anonymous searches/changes are not allowed.
>>>>
>>>> Rowland
>>>>
>>> Thanks for the clarification
>>> But then how does samba-tool make changes without having to authenticate?
>> It cheats, it directly modifies sam.ldb
>>
>> Rowland
>>
> It modifies the content of /var/lib/samba/private/sam.ldb.d? how does this folder work?

Just use ldapmodify or ldbmodify or samba-tool.

I am not going to help you possibly destroy your DB

Rowland





More information about the samba mailing list