[Samba] Verify if Samba AD was provisioned with RFC2037

Rowland penny rpenny at samba.org
Sun Jan 3 16:38:18 UTC 2021 

On 03/01/2021 15:35, Marco Shmerykowsky wrote:
>
>
> On 2021-01-03 10:19 am, Rowland penny via samba wrote:
>> On 03/01/2021 15:05, Marco Shmerykowsky via samba wrote:
>>>
>>> On 2021-01-03 9:53 am, Rowland penny via samba wrote:
>>>> On 03/01/2021 14:32, Marco Shmerykowsky via samba wrote:
>>>>> Is there a way to confirm whether a samba AD was
>>>>> provisioned using RFC2307?
>>>>
>>>> All that provisioning with '--use-rfc2307' does is to put
>>>> 'idmap_ldb:use rfc2307' into the first DC's smb.conf (a 'join' doesn't
>>>> do this) and adds the 'ypServ30.ldif' to AD. The first makes DC's use
>>>> uidNumber & gidNumber attributes from AD instead of the xidNumber
>>>> attributes from idmap.ldb. The second makes the Unix attributes tabs
>>>> work in ADUC, only problem is, they no longer exist 🙁
>>>>
>>>> All of the RFC2307 attributes are in the AD schema by default, even if
>>>> you provision without '--use-rfc2307'.
>>>>
>>>> Rowland
>>>
>>> I see.  The reason I ask is that I'm trying to use an extended query
>>> in a pfsense/openvpn setup and the query seems to fail. I'm fairly
>>> certain I have the query correct (although I could be wrong).
>>>
>>> In googling I came across some discussion that RFC2307 can create 
>>> issues
>>> with the extended query (https://redmine.pfsense.org/issues/9527)
>>>
>> That link seems to refer to IPA and AD is different, For instance you
>> cannot rely on the 'posix' objectclasses being in AD (in fact anything
>> that does, is, in my opinion, broken), the 'posix objectclasses are
>> auxiliary objectclasses of Windows objectclasses and as such are not
>> required.
>>
>> What is your search query and what do you expect the results to be ?
>
> my query is -> 
> memberOf=CN=VPN-Users,CN=users,DC=internal,DC=external,DC=com
>
> Users who will be allowed access to the VPN are assigned to a security 
> group
> named "VPN-Users".  I then used Softerra's ldapbrowser 
> (www.ldapadministrator.com)
> to look at one of the users in the group and pulled the syntax for the 
> "memberof"
> attribute that listed the VPN-User group.
>
> I would expect the extend query to validate a user who is a member of 
> the VPN-Users group.

OK, I do not have a group called 'VPN-Users', but I do have one called 
'vpnusers', so try this (adapted for your setup):

ldbsearch -H ldap://samdom.example.com -b 'dc=samdom,dc=example,dc=com' 
-s sub 
'(&(memberOf=CN=vpnusers,CN=Users,DC=samdom,DC=example,DC=com)(sAMAccountName=rowland))' 
-P

or using ldapsearch:

ldapsearch -H ldap://samdom.example.com -b 'dc=samdom,dc=example,dc=com' 
-s sub 
'(&(memberOf=CN=vpnusers,CN=Users,DC=samdom,DC=example,DC=com)(sAMAccountName=rowland))' 
-D 'cn=Administrator,dc=samdom,dc=example,dc=com' -W

Both of them work for myself, but the first one doesn't ask for a password.

Rowland

More information about the samba mailing list