[Samba] Verify if Samba AD was provisioned with RFC2037

Marco Shmerykowsky marco at sce-engineers.com
Sun Jan 3 20:21:06 UTC 2021 

On 2021-01-03 2:52 pm, Marco Shmerykowsky via samba wrote:
> On 2021-01-03 1:58 pm, Rowland penny via samba wrote:
>> On 03/01/2021 18:33, Marco Shmerykowsky via samba wrote:
>>> 
>>> On 2021-01-03 11:38 am, Rowland penny via samba wrote:
>>>> On 03/01/2021 15:35, Marco Shmerykowsky wrote:
>>>>> 
>>>>> 
>>>>> On 2021-01-03 10:19 am, Rowland penny via samba wrote:
>>>>>> On 03/01/2021 15:05, Marco Shmerykowsky via samba wrote:
>>>>>>> 
>>>>>>> On 2021-01-03 9:53 am, Rowland penny via samba wrote:
>>>>>>>> On 03/01/2021 14:32, Marco Shmerykowsky via samba wrote:
>>>>>>>>> Is there a way to confirm whether a samba AD was
>>>>>>>>> provisioned using RFC2307?
>>>>>>>> 
>>>>>>>> All that provisioning with '--use-rfc2307' does is to put
>>>>>>>> 'idmap_ldb:use rfc2307' into the first DC's smb.conf (a 'join' 
>>>>>>>> doesn't
>>>>>>>> do this) and adds the 'ypServ30.ldif' to AD. The first makes 
>>>>>>>> DC's use
>>>>>>>> uidNumber & gidNumber attributes from AD instead of the 
>>>>>>>> xidNumber
>>>>>>>> attributes from idmap.ldb. The second makes the Unix attributes 
>>>>>>>> tabs
>>>>>>>> work in ADUC, only problem is, they no longer exist 🙁
>>>>>>>> 
>>>>>>>> All of the RFC2307 attributes are in the AD schema by default, 
>>>>>>>> even if
>>>>>>>> you provision without '--use-rfc2307'.
>>>>>>>> 
>>>>>>>> Rowland
>>>>>>> 
>>>>>>> I see.  The reason I ask is that I'm trying to use an extended 
>>>>>>> query
>>>>>>> in a pfsense/openvpn setup and the query seems to fail. I'm 
>>>>>>> fairly
>>>>>>> certain I have the query correct (although I could be wrong).
>>>>>>> 
>>>>>>> In googling I came across some discussion that RFC2307 can create 
>>>>>>> issues
>>>>>>> with the extended query (https://redmine.pfsense.org/issues/9527)
>>>>>>> 
>>>>>> That link seems to refer to IPA and AD is different, For instance 
>>>>>> you
>>>>>> cannot rely on the 'posix' objectclasses being in AD (in fact 
>>>>>> anything
>>>>>> that does, is, in my opinion, broken), the 'posix objectclasses 
>>>>>> are
>>>>>> auxiliary objectclasses of Windows objectclasses and as such are 
>>>>>> not
>>>>>> required.
>>>>>> 
>>>>>> What is your search query and what do you expect the results to be 
>>>>>> ?
>>>>> 
>>>>> my query is -> 
>>>>> memberOf=CN=VPN-Users,CN=users,DC=internal,DC=external,DC=com
>>>>> 
>>>>> Users who will be allowed access to the VPN are assigned to a 
>>>>> security group
>>>>> named "VPN-Users".  I then used Softerra's ldapbrowser 
>>>>> (www.ldapadministrator.com)
>>>>> to look at one of the users in the group and pulled the syntax for 
>>>>> the "memberof"
>>>>> attribute that listed the VPN-User group.
>>>>> 
>>>>> I would expect the extend query to validate a user who is a member 
>>>>> of the VPN-Users group.
>>>> 
>>>> OK, I do not have a group called 'VPN-Users', but I do have one 
>>>> called
>>>> 'vpnusers', so try this (adapted for your setup):
>>>> 
>>>> ldbsearch -H ldap://samdom.example.com -b
>>>> 'dc=samdom,dc=example,dc=com' -s sub
>>>> '(&(memberOf=CN=vpnusers,CN=Users,DC=samdom,DC=example,DC=com)(sAMAccountName=rowland))' 
>>>> -P
>>>> 
>>>> or using ldapsearch:
>>>> 
>>>> ldapsearch -H ldap://samdom.example.com -b
>>>> 'dc=samdom,dc=example,dc=com' -s sub
>>>> '(&(memberOf=CN=vpnusers,CN=Users,DC=samdom,DC=example,DC=com)(sAMAccountName=rowland))' 
>>>> -D 'cn=Administrator,dc=samdom,dc=example,dc=com' -W
>>>> 
>>>> Both of them work for myself, but the first one doesn't ask for a 
>>>> password.
>>>> 
>>>> Rowland
>>> 
>>> Using ldbsearch I get the following:
>>> 
>>> # Referral
>>> ref: 
>>> ldap://internal.external.com/CN=Configuration,DC=internal,DC=external,DC=com
>>> 
>>> # Referral
>>> ref: 
>>> ldap://internal.externak.com/DC=DomainDnsZones,DC=internal,DC=external,DC=com
>>> 
>>> # Referral
>>> ref: 
>>> ldap://internal.external.com/DC=ForestDnsZones,DC=nternal,DC=external,DC=com
>>> 
>>> # returned 3 records
>>> # 0 entries
>>> # 3 referrals
>> 
>> If I run:
>> 
>> ldbsearch -H ldap://samdom.example.com -b
>> 'dc=samdom,dc=example,dc=com' -s sub
>> '(&(objectCategory=person)(objectClass=user)(sAMAccountName=rowland))'
>> -P
>> 
>> I get (heavily snipped):
>> 
>> # record 1
>> dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
>> objectClass: top
>> objectClass: securityPrincipal
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: user
>> cn: Rowland Penny
>> sn: Penny
>> ...................
>> sAMAccountName: rowland
>> memberOf: CN=vpnusers,CN=Users,DC=samdom,DC=example,DC=com
>> .........................
>> distinguishedName: CN=Rowland 
>> Penny,CN=Users,DC=samdom,DC=example,DC=com
>> 
>> # Referral
>> ref: 
>> ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com
>> 
>> # Referral
>> ref: 
>> ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com
>> 
>> # Referral
>> ref: 
>> ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com
>> 
>> # returned 4 records
>> # 1 entries
>> # 3 referrals
>> 
>> It doesn't matter whether I run it on a DC or a Unix domain member.
>> 
>> Perhaps I should mention that 'samdom.example.com' is the DNS domain
>> and not a FQDN.
>> 
>> Rowland
> 
> The FQDN is my test case is samba_machine.internal.external.com.
> 
> Therefore, I assume I should be replacing samdom.example.com
> with internal.external.com
> 
> When I do that I get the following:
> 
> resolve_lmhosts: Attempting lmhosts lookup for name 
> internal.external.com<0x20>
> Server ldap/internal.external.com at EXTERNAL.COM is not registered with
> our KDC:  Miscellaneous failure (see text): Server (krbtgt/EXTERNAL
> .COM at INTERNAL.EXTERNAL.COM) unknown
> gensec_spnego_create_negTokenInit_step: gssapi_krb5: creating
> NEG_TOKEN_INIT for ldap/internal.external.com failed (next[ntlmssp]):
> NT_STATUS_INVAL
> ID_PARAMETER
> Got challenge flags:
> Got NTLMSSP neg_flags=0x62898235
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x62088235
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088235
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088235

SCRATCH THAT.  Dumb Typo.  Absolutely hate having reached the age
where I require reading glasses....

I get the following:

sAMAccountName: jdoe
sAMAccountType: 805306368
userPrincipalName: jdoe at internal.external.com
objectCategory: 
CN=Person,CN=Schema,CN=Configuration,DC=-internal,DC=external,DC=com
userAccountControl: 512
memberOf: CN=VPN-users,CN=Users,DC=internal,DC=external,DC=com
pwdLastSet: 131948897865228160
lastLogonTimestamp: 132540093326519270
description: Domain User
whenChanged: 20210102195038.0Z
uSNChanged: 57065
lastLogon: 132541770435095680
logonCount: 1647
distinguishedName: CN=jdoe,CN=Users,DC=internal,DC=external,DC=com

More information about the samba mailing list