Franta Hanzlík
2019-Mar-27 02:50 UTC
[Samba] samba 4.9.5 - joining Samba DC to existing Samba AD failed
HOn Tue, 26 Mar 2019 09:29:41 +0000 Rowland Penny via samba <samba at lists.samba.org> wrote:> On Tue, 26 Mar 2019 05:18:20 +0100 > Franta Hanzlík <franta at hanzlici.cz> wrote: > > > Hi Tim and Rowland, thanks for Your support! > > I was thinking about e.g. Python 2.7.15 compatibility (as newer Samba > > versions require Python3), but You are right, here in DB can be > > problem > > - first Samba AD DC was created by migrating Samba3 NT4 domain to > > Samba4 AD cca week ago (using 'samba-tool domain classicupgrade ...', > > according to Samba Wiki): > > > > [root at dc1 samba]# samba-tool dbcheck > > Checking 701 objects > > NOTE: old (due to rename or delete) DN string component for > > lastKnownParent in object CN=RID > > Set\0ADEL:2df6a1a3-2a54-4385-ae71-5d95b1348310,CN=Deleted > > Objects,DC=zamecek,DC=home - CN=DC2-LYNX,OU=Domain > > Controllers,DC=zamecek,DC=home Not fixing old string component > > You can ignore lines like that, the '\0ADEL' means it is a deleted > object and will eventually go away. > > > > > 2. Try dumping the object it's failing on, just to see if there's > > > anything odd with the objectClass attributes. E.g. > > > ldbsearch -H ldap://$SERVER -b > > > 'CN=Administrator,CN=Users,DC=zamecek,DC=home' > > > > [root at dc1 samba]# ldbsearch > > -H /var/lib/samba/private/sam.ldb.d/DC=ZAMECEK,DC=HOME.ldb > > '(CN=Administrator)' > > Do not touch the files found under 'sam.ldb.d', use the 'sam'ldb' file > instead, or use the 'ldbsearch' as shown, not that it would work for > what you require, it should have been something like this: > > ldbsearch -H ldap://dc4 -UAdministrator -b > 'CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com' -s base > nTSecurityDescriptor > > Which (after you enter Administrator's password)) should produce > something like this: > > # record 1 > dn: CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com > nTSecurityDescriptor: O:DAG:DAD:AI(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWP > CRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)(A;;RPLCLORC; > ;;PS)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a54-1e2f-1 > 1d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a56-1e2f-11d0-9819-00aa0040529b;;PS)(O > A;;RPWP;77b5b886-944a-11d1-aebd-0000f80367c1;;PS)(OA;;RPWP;e45795b2-9455-11d1 > -aebd-0000f80367c1;;PS)(OA;;RPWP;e45795b3-9455-11d1-aebd-0000f80367c1;;PS)(OA > ;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;;RS)(OA;;RP;4c164200-20c0-11d0-a768 > -00aa006e0529;;RS)(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;;RS)(A;;RC;;;A > U)(OA;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;;AU)(OA;;RP;77b5b886-944a-11d1 > -aebd-0000f80367c1;;AU)(OA;;RP;e45795b3-9455-11d1-aebd-0000f80367c1;;AU)(OA;; > RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)(OA;;CR;ab721a53-1e2f-11d0-9819-0 > 0aa0040529b;;WD)(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;;RS)(OA;;RPWP;bf > 967a7f-0de6-11d0-a285-00aa003049e2;;CA)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58 > d456d2;;S-1-5-32-560)(OA;;RPWP;6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32 > -561)(OA;;RPWP;5805bc62-bdc9-4428-a5e2-856a0f4c185e;;S-1-5-32-561)(OA;CIIOID; > RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28; > RU)(OA;CIID;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-0 > 0aa003049e2;RU)(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-14 > 37-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf > ;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-902 > 0-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;bc0ac240-7 > 9a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID > ;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28 > ;RU)(OA;CIID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285- > 00aa003049e2;RU)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1 > 437-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;037088f8-0ae1-11d2-b422-00a0c968f93 > 9;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-85 > 4e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6 > d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CII > D;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e > 2;ED)(OA;CIIOID;RPLCLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID; > RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIID;RPLCLORC;;bf967aba > -0de6-11d0-a285-00aa003049e2;RU)(OA;CIID;RPWPCR;91e647de-d96f-4b70-9557-d63ff > 4f3ccd8;;PS)(A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)(A;CIID;LC;;;RU)(A;CIID;R > PWPCRCCLCLORCWOWDSDSW;;;BA)S:AI(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f8 > 0367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0- > 11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)I'm stil confused, there is something I still miss, some joining piece - 'ldbsearch', as You recommended use it, fail with error '-U: unknown option': [root at dc1 samba]# ldbsearch -H ldap://dc1 -U Administrator -b 'CN=Administrator,CN=Users,DC=zamecek,DC=home' -s base nTSecurityDescriptor Invalid option -U: unknown option Usage: ldbsearch <options> <expression> <attrs...> Usage: [OPTION...] -H, --url=URL database URL -b, --basedn=DN base DN ... Should I use ldapsearch instead? All I'm able to get is (pointing to 'sam.ldb'): [root at dc1 samba]# LDB_MODULES_PATH="/usr/lib64/samba/ldb/" ldbsearch -H /var/lib/samba/private/sam.ldb '(CN=Administrator)' nTSecurityDescriptor GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'http_negotiate' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered # record 1 dn: CN=Administrator,CN=Users,DC=zamecek,DC=home nTSecurityDescriptor: O:DAG:DAD:AI(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWP CRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)(A;;RPLCLORC; ;;PS)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a54-1e2f-1 1d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a56-1e2f-11d0-9819-00aa0040529b;;PS)(O A;;RPWP;77b5b886-944a-11d1-aebd-0000f80367c1;;PS)(OA;;RPWP;e45795b2-9455-11d1 -aebd-0000f80367c1;;PS)(OA;;RPWP;e45795b3-9455-11d1-aebd-0000f80367c1;;PS)(OA ;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;;RS)(OA;;RP;4c164200-20c0-11d0-a768 -00aa006e0529;;RS)(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;;RS)(A;;RC;;;A U)(OA;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;;AU)(OA;;RP;77b5b886-944a-11d1 -aebd-0000f80367c1;;AU)(OA;;RP;e45795b3-9455-11d1-aebd-0000f80367c1;;AU)(OA;; RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)(OA;;CR;ab721a53-1e2f-11d0-9819-0 0aa0040529b;;WD)(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;;RS)(OA;;RPWP;bf 967a7f-0de6-11d0-a285-00aa003049e2;;CA)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58 d456d2;;S-1-5-32-560)(OA;;RPWP;6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32 -561)(OA;;RPWP;5805bc62-bdc9-4428-a5e2-856a0f4c185e;;S-1-5-32-561)(OA;CIIOID; RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28; RU)(OA;CIID;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-0 0aa003049e2;RU)(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-14 37-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf ;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-902 0-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;bc0ac240-7 9a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID ;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28 ;RU)(OA;CIID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285- 00aa003049e2;RU)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1 437-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;037088f8-0ae1-11d2-b422-00a0c968f93 9;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-85 4e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6 d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CII D;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e 2;ED)(OA;CIIOID;RPLCLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID; RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIID;RPLCLORC;;bf967aba -0de6-11d0-a285-00aa003049e2;RU)(OA;CIID;RPWPCR;91e647de-d96f-4b70-9557-d63ff 4f3ccd8;;PS)(A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)(A;CIID;LC;;;RU)(A;CIID;R PWPCRCCLCLORCWOWDSDSW;;;BA)S:AI(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f8 0367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0- 11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) # Referral ref: ldap://zamecek.home/CN=Configuration,DC=zamecek,DC=home # Referral ref: ldap://zamecek.home/DC=DomainDnsZones,DC=zamecek,DC=home # Referral ref: ldap://zamecek.home/DC=ForestDnsZones,DC=zamecek,DC=home # returned 4 records # 1 entries # 3 referrals or: [root at dc1 samba]# LDB_MODULES_PATH="/usr/lib64/samba/ldb/" ldbsearch -H /var/lib/samba/private/sam.ldb '(CN=Administrator)' GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'http_negotiate' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered # record 1 dn: CN=Administrator,CN=Users,DC=zamecek,DC=home objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: posixAccount cn: Administrator description: Built-in account for administering the computer/domain instanceType: 4 whenCreated: 20190227200715.0Z uSNCreated: 3626 name: Administrator objectGUID: 17f000a0-dfd2-46a1-a96d-3e6b55438d92 userAccountControl: 512 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 primaryGroupID: 513 objectSid: S-1-5-21-9998-9997-9996-500 adminCount: 1 accountExpires: 9223372036854775807 sAMAccountName: Administrator sAMAccountType: 805306368 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=zamecek,DC=home isCriticalSystemObject: TRUE pwdLastSet: 131960948110000000 memberOf: CN=Domain Admins,OU=System_Groups,DC=zamecek,DC=home memberOf: CN=Schema Admins,OU=System_Groups,DC=zamecek,DC=home memberOf: CN=Enterprise Admins,OU=System_Groups,DC=zamecek,DC=home memberOf: CN=Group Policy Creator Owners,OU=System_Groups,DC=zamecek,DC=home memberOf: CN=Administrators,CN=Builtin,DC=zamecek,DC=home gidNumber: 1103 uidNumber: 0 loginShell: /bin/bash unixHomeDirectory: /root lastLogonTimestamp: 131976602069696270 whenChanged: 20190321164326.0Z uSNChanged: 9904 lastLogon: 131981261571043650 logonCount: 621 distinguishedName: CN=Administrator,CN=Users,DC=zamecek,DC=home # Referral ref: ldap://zamecek.home/CN=Configuration,DC=zamecek,DC=home # Referral ref: ldap://zamecek.home/DC=DomainDnsZones,DC=zamecek,DC=home # Referral ref: ldap://zamecek.home/DC=ForestDnsZones,DC=zamecek,DC=home # returned 4 records # 1 entries # 3 referrals It is usable?> > unicodePwd:: > > I would change Administrators password, you have given it to the > world ;-)Thanks, You are right, but it is one-time password and this network is not world-accessible. It seems as other problems I have maybe bigger ;) Franta
Rowland Penny
2019-Mar-27 08:27 UTC
[Samba] samba 4.9.5 - joining Samba DC to existing Samba AD failed
On Wed, 27 Mar 2019 03:50:11 +0100 Franta Hanzlík <franta at hanzlici.cz> wrote:> HOn Tue, 26 Mar 2019 09:29:41 +0000 > Rowland Penny via samba <samba at lists.samba.org> wrote: > > Do not touch the files found under 'sam.ldb.d', use the 'sam'ldb' > > file instead, or use the 'ldbsearch' as shown, not that it would > > work for what you require, it should have been something like this: > > > > ldbsearch -H ldap://dc4 -UAdministrator -b > > 'CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com' -s base > > nTSecurityDescriptor > > > > Which (after you enter Administrator's password)) should produce > > something like this: > > > > # record 1 > > dn: CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com > > nTSecurityDescriptor: > > O:DAG:DAD:AI(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWP > > CRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)(A;;RPLCLORC; ;;PS)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a54-1e2f-1 > > 1d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a56-1e2f-11d0-9819-00aa0040529b;;PS)(O > > A;;RPWP;77b5b886-944a-11d1-aebd-0000f80367c1;;PS)(OA;;RPWP;e45795b2-9455-11d1 > > -aebd-0000f80367c1;;PS)(OA;;RPWP;e45795b3-9455-11d1-aebd-0000f80367c1;;PS)(OA > > ;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;;RS)(OA;;RP;4c164200-20c0-11d0-a768 > > -00aa006e0529;;RS)(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;;RS)(A;;RC;;;A > > U)(OA;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;;AU)(OA;;RP;77b5b886-944a-11d1 > > -aebd-0000f80367c1;;AU)(OA;;RP;e45795b3-9455-11d1-aebd-0000f80367c1;;AU)(OA;; > > RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)(OA;;CR;ab721a53-1e2f-11d0-9819-0 > > 0aa0040529b;;WD)(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;;RS)(OA;;RPWP;bf > > 967a7f-0de6-11d0-a285-00aa003049e2;;CA)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58 > > d456d2;;S-1-5-32-560)(OA;;RPWP;6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32 > > -561)(OA;;RPWP;5805bc62-bdc9-4428-a5e2-856a0f4c185e;;S-1-5-32-561)(OA;CIIOID; > > RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28; > > RU)(OA;CIID;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-0 > > 0aa003049e2;RU)(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-14 > > 37-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf > > ;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-902 > > 0-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;bc0ac240-7 > > 9a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID > > ;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28 > > ;RU)(OA;CIID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285- > > 00aa003049e2;RU)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1 > > 437-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;037088f8-0ae1-11d2-b422-00a0c968f93 > > 9;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-85 > > 4e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6 > > d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CII > > D;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e > > 2;ED)(OA;CIIOID;RPLCLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID; > > RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIID;RPLCLORC;;bf967aba > > -0de6-11d0-a285-00aa003049e2;RU)(OA;CIID;RPWPCR;91e647de-d96f-4b70-9557-d63ff > > 4f3ccd8;;PS)(A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)(A;CIID;LC;;;RU)(A;CIID;R > > PWPCRCCLCLORCWOWDSDSW;;;BA)S:AI(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f8 > > 0367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0- > > 11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) > > I'm stil confused, there is something I still miss, some joining > piece - 'ldbsearch', as You recommended use it, fail with error '-U: > unknown option': [root at dc1 samba]# ldbsearch -H ldap://dc1 -U > Administrator -b 'CN=Administrator,CN=Users,DC=zamecek,DC=home' -s > base nTSecurityDescriptor Invalid option -U: unknown option Usage: > ldbsearch <options> <expression> <attrs...> Usage: [OPTION...] > -H, --url=URL database URL > -b, --basedn=DN base DNWhat version of ldbsearch are you using ? ldbsearch --help Usage: [OPTION...] -H, --url=URL database URL -b, --basedn=DN base DN ....... ...... ..... Authentication options: -U, --user=[DOMAIN/]USERNAME[%PASSWORD] Set the network username ldbsearch -V Version 4.9.4-Debian> ... > > All I'm able to get is (pointing to 'sam.ldb'): > > [root at dc1 samba]# LDB_MODULES_PATH="/usr/lib64/samba/ldb/" ldbsearch > -H /var/lib/samba/private/sam.ldb '(CN=Administrator)' > nTSecurityDescriptor > # record 1 > dn: CN=Administrator,CN=Users,DC=zamecek,DC=home > nTSecurityDescriptor: > O:DAG:DAD:AI(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWP > CRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)(A;;RPLCLORC; ;;PS)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a54-1e2f-1 > 1d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a56-1e2f-11d0-9819-00aa0040529b;;PS)(O > A;;RPWP;77b5b886-944a-11d1-aebd-0000f80367c1;;PS)(OA;;RPWP;e45795b2-9455-11d1 > -aebd-0000f80367c1;;PS)(OA;;RPWP;e45795b3-9455-11d1-aebd-0000f80367c1;;PS)(OA > ;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;;RS)(OA;;RP;4c164200-20c0-11d0-a768 > -00aa006e0529;;RS)(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;;RS)(A;;RC;;;A > U)(OA;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;;AU)(OA;;RP;77b5b886-944a-11d1 > -aebd-0000f80367c1;;AU)(OA;;RP;e45795b3-9455-11d1-aebd-0000f80367c1;;AU)(OA;; > RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)(OA;;CR;ab721a53-1e2f-11d0-9819-0 > 0aa0040529b;;WD)(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;;RS)(OA;;RPWP;bf > 967a7f-0de6-11d0-a285-00aa003049e2;;CA)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58 > d456d2;;S-1-5-32-560)(OA;;RPWP;6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32 > -561)(OA;;RPWP;5805bc62-bdc9-4428-a5e2-856a0f4c185e;;S-1-5-32-561)(OA;CIIOID; > RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28; > RU)(OA;CIID;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-0 > 0aa003049e2;RU)(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-14 > 37-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf > ;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-902 > 0-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;bc0ac240-7 > 9a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID > ;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28 > ;RU)(OA;CIID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285- > 00aa003049e2;RU)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1 > 437-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;037088f8-0ae1-11d2-b422-00a0c968f93 > 9;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-85 > 4e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6 > d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CII > D;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e > 2;ED)(OA;CIIOID;RPLCLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID; > RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIID;RPLCLORC;;bf967aba > -0de6-11d0-a285-00aa003049e2;RU)(OA;CIID;RPWPCR;91e647de-d96f-4b70-9557-d63ff > 4f3ccd8;;PS)(A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)(A;CIID;LC;;;RU)(A;CIID;R > PWPCRCCLCLORCWOWDSDSW;;;BA)S:AI(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f8 > 0367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0- > 11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) >Yours matches mine, so that isn't a problem ;-) You can (if you so wish) now find out what each ACE means, see here: https://docs.microsoft.com/en-gb/windows/desktop/SecAuthZ/ace-strings The ACE's are the parts between braces, e.g. (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA) That allows Domain Admins to do just about anything. Rowland
L.P.H. van Belle
2019-Mar-27 08:45 UTC
[Samba] samba 4.9.5 - joining Samba DC to existing Samba AD failed
Hai, I dont think one noticed this.. ldbsearch -H ldap://dc4 -UAdministrator ldbsearch -H ldap://dc1 -U Administrator So whats the difference when you see this responce of the command: Invalid option -U: unknown ... The " " between -U Admin... Try again without the space or use --user=Administrator Greetz, Louis
Rowland Penny
2019-Mar-27 09:01 UTC
[Samba] samba 4.9.5 - joining Samba DC to existing Samba AD failed
On Wed, 27 Mar 2019 09:45:18 +0100 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> Hai, > > > I dont think one noticed this.. > > ldbsearch -H ldap://dc4 -UAdministrator > ldbsearch -H ldap://dc1 -U Administrator > > So whats the difference when you see this responce of the command: > Invalid option -U: unknown ... > > The " " between -U Admin... > Try again without the space or use --user=Administrator > > > Greetz, > > LouisThe space doesn't make any difference '-U Administrator' or '-UAdministrator' both work, as does '-U administrator' or '-Uadministrator' I just wonder where '-U' went ? Rowland
Seemingly Similar Threads
- samba 4.9.5 - joining Samba DC to existing Samba AD failed
- samba 4.9.5 - joining Samba DC to existing Samba AD failed
- samba 4.9.5 - joining Samba DC to existing Samba AD failed (ldbsearch has not -U and -V)
- samba 4.9.5 - joining Samba DC to existing Samba AD failed (ldbsearch has not -U and -V)
- samba 4.9.5 - joining Samba DC to existing Samba AD failed