[Samba] smbclient help
Rowland penny
rpenny at samba.org
Wed Jan 13 13:16:43 UTC 2021
On 13/01/2021 09:15, jmpatagonia via samba wrote:
> Excellent Rowland, this work, with this from the client we can make a
> script to guest ldap (via memberof property) and do gvfs-mount.
>
> Is it possible to pass to ldapsearch the kerberos ticket (or user id/pass)
> to guest the ldap samba built-in ?
>
> ldapsearch -D "cn=userid,cn=Users,dc=midominio,dc=prueba,dc=ar" -w "P at ssword"
> -h 192.168.0.165 -p 389 -b "cn=$1,cn=Users,dc=midominio,dc=prueba,dc=ar" -s
> sub "memberof=*" memberof | grep "memberOf" | sed -e "s/^memberOf: CN=//"
> -e "s/,CN=Users,DC=midominio,DC=prueba,DC=ar//"
>
> So we can guest the ldap without a prefix user, need to extract the user
> property "memberof" from ldap samba built-in, authenticating via ldap
> search with the kerberos data or similar.
>
> Regards.
There are numerous ways of doing this, you can use the machine password
(but this involves using sudo):
sudo ldbsearch -P -H ldap://dc4 -b "cn=users,$(echo "dc=$(hostname -d)"
| sed 's/\./,dc=/g')" -s sub '(&(sAMAccountName=rowland)(memberOf=*))'
memberOf | grep "memberOf" | sed -e "s/^memberOf: CN=//" -e
"s/,CN=Users,$(echo "DC=$(hostname -d)" | sed 's/\./,DC=/g')//"
You can use the users kerberos ticket that should be created when the
user logs in:
ldbsearch -H ldap://dc4 -b "cn=users,$(echo "dc=$(hostname -d)" | sed
's/\./,dc=/g')" -s sub '(&(sAMAccountName=rowland)(memberOf=*))'
memberOf -k yes | grep "memberOf" | sed -e "s/^memberOf: CN=//" -e
"s/,CN=Users,$(echo "DC=$(hostname -d)" | sed 's/\./,DC=/g')//"
A different way using the users kerberos ticket and samba-tool:
samba-tool group listmembers 'Domain Admins' -H ldap://dc4 -k yes
Rowland
More information about the samba
mailing list