On Thu, 2021-06-17 at 19:37 +0530, Durga Prasad Dwarapureddi via samba
wrote:> Hi,
>
> We are trying to build the Admin function delegation on OU in the UI
> we are
> designing. Is there any command in Samba or any python binding that
> will
> help us achieve this?
This can be done in Python, it is essentially an ACL modification.
This is in source4/dsdb/tests/python/user_account_control.py:
self.sd_utils = sd_utils.SDUtils(self.admin_samdb)
self.admin_samdb.create_ou("OU=test_computer_ou1," +
self.base_dn)
self.unpriv_user_sid = self.sd_utils.get_object_sid(self.unpriv_user_dn)
mod = "(OA;;CC;bf967a86-0de6-11d0-a285-00aa003049e2;;%s)" %
str(self.unpriv_user_sid)
self.sd_utils.dacl_add_ace("OU=test_computer_ou1," +
self.base_dn, mod)
Just take care, while not giving out the administrator password is an
admirable thing, someone who can create user or computer objects (the
above is for computers, you can delegate the right to create users
instead with the users GUID) still has quite some power to disrupt the
domain.
> Below is the output we get after executing command - samba-tool
> delegation
> --help
>
> Available subcommands:
> add-service - Add a service principal as msDS-
> AllowedToDelegateTo.
> del-service - Delete a service principal as
> msDS-AllowedToDelegateTo.
> for-any-protocol - Set/unset
> UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
> (S4U2Proxy) for an account.
> for-any-service - Set/unset UF_TRUSTED_FOR_DELEGATION for an
> account.
> show - Show the delegation setting of an account.
This is a different kind of delegation, this is the right to delegate
the authentication from one service to another, not the delegation of
rights to create users etc.
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open Source
Solutions