samba - Oct 2015 - samba-tool using domain users

!!! Regards
For example, I tried the following command:
samba-tool user create jhon p at assword -U mike
Then, the user is created without authenticate the user mike
Another command that I need execute with authentication is "samba-tool fsmo
transfer".

That's all the point of an AD domain : )
If any user could make change into AD database, the product would not be
too much secure.

samba-tool comes with its own man page, in that man page you will how to
use a different user to authenticate against AD than your current Linux
user. Look for "-U".

2015-10-15 17:07 GMT+02:00 Yosel Lazaro Vera Gonzalez <
ylvera at estudiantes.uci.cu>:
> !!! Regards
> Can be executed "samba-tool user create" specifying a domain user
?, if
> the user don't have sufficient permissions, he can not create a user
using
> samba-tool.
> Can be specified a domain user in any samba-tool command ?
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Hello Yosel,

Am 16.10.2015 um 15:09 schrieb Yosel Lazaro Vera
Gonzalez:
> For example, I tried the following command:
> samba-tool user create jhon p at assword -U mike
> Then, the user is created without authenticate the user mike
> Another command that I need execute with authentication is "samba-tool
fsmo transfer".
> 
> That's all the point of an AD domain : )
> If any user could make change into AD database, the product would not be
> too much secure.

[root at DC1 ~]# samba-tool user add xxx01 mypw -U mike
User 'xxx01' created successfully

If you run exactly the above command as "root", the account is
created,
because it's done directly in sam.ldb. -U is ignored in that case. If
you do the same as a user, it will fail, because sam.ldb is (hopefully)
not writeable for anyone else than root on your system. Example:

[mike at DC1 root]$ samba-tool user add xxx02 mypw -U mike
ltdb: tdb(/usr/local/samba/private/sam.ldb): tdb_open_ex: could not open
file /usr/local/samba/private/sam.ldb: Permission denied

Unable to open tdb '/usr/local/samba/private/sam.ldb': Permission denied
Failed to connect to 'tdb:///usr/local/samba/private/sam.ldb' with
backend 'tdb': Unable to open tdb
'/usr/local/samba/private/sam.ldb':
Permission denied
ERROR(ldb): Failed to add user 'xxx02':  - Unable to open tdb
'/usr/local/samba/private/sam.ldb': Permission denied



However you can create users via the LDAP interface, too (This is what,
e. g. ADUC does). In this case it doesn't matter, who runs the command.
Important is, that the -U account has permission inside the AD, to
create the object. Examples:

[mike at DC1 root]$ samba-tool user add xxx02 mypw -U administrator -H
ldap://DC1
Password for [SAMDOM\administrator]:
User 'xxx02' created successfully



[mikeDC1 root]$ samba-tool user add xxx02 mypw -U mike -H ldap://DC1
Password for [SAMDOM\mike]:
Password for [SAMDOM\mike]:
Password for [SAMDOM\mike]:
Wrong username or password: kinit for mike at SAMDOM.EXAMPLE.COM failed
(Preauthentication failed)

SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS -
<SASL:[GSS-SPNEGO]: NT_STATUS_LOGON_FAILURE> <>
Failed to connect to 'ldap://DC1' with backend 'ldap': (null)
ERROR(ldb): Failed to add user 'xxx02':  - None




Anyone here who wants to write a patch for the boring samba-tool manpage
or for the "samba-tool user add --help" output? I think some
background
information and better examples would be good for both.


Regards,
Marc