Hi Andrew, revisiting this subject once again because I seem to have reached an impass. -<| Quoting Andrew Bartlett <abartlet at samba.org>, on Monday, 2018-09-24 07:14:48 PM |>-> On Mon, 2018-09-24 at 09:06 +0200, Philipp Gesang wrote: > > > A long time ago I posted a script to dump the machine password to > > > stdout for the benifit of an 802.1x client, but it never had tests > > > so > > > didn't get in. > > > > > > I could see JSON working well for this also. Perhaps extend either > > > samba-tool or net to print out the domain SID, local SID, domain > > > member password and hostname? > > Sounds promising. I’ll look into that.Right now I am using values obtained as follows: - hostname: get_global_sam_name() - local SID: secrets_fetch_domain_sid (get_global_sam_name(), …) == SECRETS/SID/CLIENTNAME in tdb - domain SID: secrets_fetch_domain_sid (lp_workgroup(), …) == SECRETS/SID/WORKGROUPNAME - domain member password: secrets_fetch_machine_password(lp_workgroup(), …) == SECRETS/MACHINE_DOMAIN_INFO/WORKGROUPNAME This approach works well with a manually joined AD member but not with any of the blackbox testsuites. In the secrets.tdb used during tests I find only the domain SID (e. g. SECRETS/SID/CHDCDOMAIN) but not the machine sid (probably SECRETS/SID/CLIENT). How come that machine sid is absent in the tests? Is there another means of retrieving it? Thank you and enjoy the weekend, Philipp -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: <http://lists.samba.org/pipermail/samba/attachments/20181012/c7947999/signature.sig>
On Fri, 2018-10-12 at 16:59 +0200, Philipp Gesang via samba wrote:> Hi Andrew, > > revisiting this subject once again because I seem to have reached > an impass. > > -<| Quoting Andrew Bartlett <abartlet at samba.org>, on Monday, 2018-09-24 07:14:48 PM |>- > > On Mon, 2018-09-24 at 09:06 +0200, Philipp Gesang wrote: > > > > A long time ago I posted a script to dump the machine password to > > > > stdout for the benifit of an 802.1x client, but it never had tests > > > > so > > > > didn't get in. > > > > > > > > I could see JSON working well for this also. Perhaps extend either > > > > samba-tool or net to print out the domain SID, local SID, domain > > > > member password and hostname? > > > > > > Sounds promising. I’ll look into that. > > Right now I am using values obtained as follows: > > - hostname: get_global_sam_name() > > - local SID: > secrets_fetch_domain_sid (get_global_sam_name(), …) > == SECRETS/SID/CLIENTNAME in tdb > > - domain SID: > secrets_fetch_domain_sid (lp_workgroup(), …) > == SECRETS/SID/WORKGROUPNAME > > - domain member password: > secrets_fetch_machine_password(lp_workgroup(), …) > == SECRETS/MACHINE_DOMAIN_INFO/WORKGROUPNAME > > This approach works well with a manually joined AD member but not > with any of the blackbox testsuites. In the secrets.tdb used > during tests I find only the domain SID (e. g. SECRETS/SID/CHDCDOMAIN) > but not the machine sid (probably SECRETS/SID/CLIENT). > > How come that machine sid is absent in the tests? Is there > another means of retrieving it?This is due to the test environment you are running in. If you ran it in ad_member:local it would be there. The 'client' environment (where you don't specify a :local) is used, without the server's smb.conf or files, and doens't have a local SID. Also, it is only set when a source3 passdb operation happens, so AD DC client stuff won't trigger it (for historical reasons). I hope this helps, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
-<| Quoting Andrew Bartlett <abartlet at samba.org>, on Saturday, 2018-10-13 08:09:31 AM |>-> On Fri, 2018-10-12 at 16:59 +0200, Philipp Gesang via samba wrote: > > Hi Andrew, > > > > revisiting this subject once again because I seem to have reached > > an impass. > > > > -<| Quoting Andrew Bartlett <abartlet at samba.org>, on Monday, 2018-09-24 07:14:48 PM |>- > > > On Mon, 2018-09-24 at 09:06 +0200, Philipp Gesang wrote: > > > > > A long time ago I posted a script to dump the machine password to > > > > > stdout for the benifit of an 802.1x client, but it never had tests > > > > > so > > > > > didn't get in. > > > > > > > > > > I could see JSON working well for this also. Perhaps extend either > > > > > samba-tool or net to print out the domain SID, local SID, domain > > > > > member password and hostname? > > > > > > > > Sounds promising. I’ll look into that. > > > > Right now I am using values obtained as follows: > > > > - hostname: get_global_sam_name() > > > > - local SID: > > secrets_fetch_domain_sid (get_global_sam_name(), …) > > == SECRETS/SID/CLIENTNAME in tdb > > > > - domain SID: > > secrets_fetch_domain_sid (lp_workgroup(), …) > > == SECRETS/SID/WORKGROUPNAME > > > > - domain member password: > > secrets_fetch_machine_password(lp_workgroup(), …) > > == SECRETS/MACHINE_DOMAIN_INFO/WORKGROUPNAME > > > > This approach works well with a manually joined AD member but not > > with any of the blackbox testsuites. In the secrets.tdb used > > during tests I find only the domain SID (e. g. SECRETS/SID/CHDCDOMAIN) > > but not the machine sid (probably SECRETS/SID/CLIENT). > > > > How come that machine sid is absent in the tests? Is there > > another means of retrieving it? > > This is due to the test environment you are running in. If you ran it > in ad_member:local it would be there.Yes, that was it. Thanks!> The 'client' environment (where you don't specify a :local) is used, > without the server's smb.conf or files, and doens't have a local SID. > > Also, it is only set when a source3 passdb operation happens, so AD DC > client stuff won't trigger it (for historical reasons).I’m not 100% familiar with these concepts. Until now I’ve been assuming Samba running as joined domain member. Does Samba as “AD DC client” have machine credentials as well, just no local SID? Currently the code errors out when any of the values couldn’t be obtained. If the local SID may be absent in valid configurations this is obviously the wrong approch. Philipp -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: <http://lists.samba.org/pipermail/samba/attachments/20181015/8cc30581/signature.sig>