On Sat, 4 Nov 2017 18:42:36 -0600 Jeff Sadowski <jeff.sadowski at gmail.com> wrote:> I decided to continue trying the ldap route as well > > littlehex2int() > { > hex=$1 > hex_chunk=$(echo ${hex}|cut -c$2-$3) > little=$(echo ${hex_chunk}|awk '{print > substr($0,7,2)substr($0,5,2)substr($0,3,2)substr($0,1,2)}') > echo "ibase=16; ${little}" | bc > } > > base64_to_sid() > { > OBJECTSID="$1" > hex=$(echo ${OBJECTSID}|base64 -d|od -A n -x -w28 --endian=big|sed 's/ > //g'|awk '{print toupper($1)}') > hex_chunk=$(echo ${hex}|cut -c1-2); > rev=$(echo "ibase=16; ${hex_chunk}" | bc) > hex_chunk=$(echo ${hex}|cut -c3-4) > dashes=$(echo "ibase=16; ${hex_chunk}" | bc) > hex_chunk=$(echo ${hex}|cut -c5-16) > notsure=$(echo "ibase=16; ${hex_chunk}" | bc) > nonuniq=$(littlehex2int ${hex} 17 24) > issuer1=$(littlehex2int ${hex} 25 32) > issuer2=$(littlehex2int ${hex} 33 40) > issuer3=$(littlehex2int ${hex} 41 48) > uid=$(littlehex2int ${hex} 49 57) > echo > "S-${rev}-${dashes}-${nonuniq}-${issuer1}-${issuer2}-${issuer3}-${uid}" } > > On Sat, Nov 4, 2017 at 4:42 PM, Jeff Sadowski > <jeff.sadowski at gmail.com> wrote: > > . DOMAIN_ADMIN_PASSWD.sh > > echo ${PASSWD} | kinit ${ADMIN}@${DOMAIN} > > echo -n > /etc/ntfs-3g.usermap > > for DOMAIN_USER in $(wbinfo -u);do > > RPCLOOKUPID=$(rpcclient -P -c "lookupnames ${DOMAIN_USER}" > > ${DOMAIN}) if [ "${RPCLOOKUPID:0:7}" != "ERROR: " ] && > > [ "${RPCLOOKUPID:0:7}" != "Failed " ];then > > SID=$(echo ${RPCLOOKUPID}|awk '{print $2}') > > echo ${DOMAIN_USER}::${SID} >> /etc/ntfs-3g.usermap > > fi > > done > > for DOMAIN_GROUP in $(wbinfo -g);do > > RPCLOOKUPID=$(rpcclient -P -c "lookupnames ${DOMAIN_GROUP}" > > ${DOMAIN}) if [ "${RPCLOOKUPID:0:7}" != "ERROR: " ] && > > [ "${RPCLOOKUPID:0:7}" != "Failed " ];then > > SID=$(echo ${RPCLOOKUPID}|awk '{print $2}') > > echo :${DOMAIN_GROUP}:${SID} >> /etc/ntfs-3g.usermap > > fi > > done > > > > On Sat, Nov 4, 2017 at 3:21 AM, Rowland Penny via samba > > <samba at lists.samba.org> wrote: > >> On Fri, 3 Nov 2017 16:25:57 -0600 > >> Jeff Sadowski <jeff.sadowski at gmail.com> wrote: > >> > >>> That looks easier > >>> > >>> I was working on ldap to convert but I'll try ldb-tools > >>> > >>> I was off on a bash mission here is what I had so far it isn't > >>> correct so I'll keep working on it > >>> > >>> #!/bin/bash > >>> if [ "$(echo $1|wc -c)" = "41" ];then > >>> hex=$(echo $1|base64 -d| od -x -w28 --endian=big|head -n1|sed > >>> 's/^0000000 //'|sed 's/ //g') > >>> echo ${hex} > >>> hex_chunk=$(echo ${hex}|cut -c1-2); > >>> echo ${hex_chunk} > >>> rev=$(echo "ibase=16; ${hex_chunk}" | bc) > >>> hex_chunk=$(echo ${hex}|cut -c3-4) > >>> echo ${hex_chunk} > >>> dashes=$(echo "ibase=16; ${hex_chunk}" | bc) > >>> hex_chunk=$(echo ${hex}|cut -c5-16) > >>> echo ${hex_chunk} > >>> notsure=$(echo "ibase=16; ${hex_chunk}" | bc) > >>> hex_chunk=$(echo ${hex}|cut -c17-24) > >>> echo ${hex_chunk} > >>> issuer1=$(echo "ibase=16; ${hex_chunk}" | bc) > >>> hex_chunk=$(echo ${hex}|cut -c25-32) > >>> echo ${hex_chunk} > >>> issuer2=$(echo "ibase=16; ${hex_chunk}" | bc) > >>> hex_chunk=$(echo ${hex}|cut -c33-40) > >>> echo ${hex_chunk} > >>> issuer3=$(echo "ibase=16; ${hex_chunk}" | bc) > >>> hex_chunk=$(echo ${hex}|cut -c41-48) > >>> echo ${hex_chunk} > >>> issuer4=$(echo "ibase=16; ${hex_chunk}" | bc) > >>> hex_chunk=$(echo ${hex}|cut -c49-57) > >>> uid=$(echo "ibase=16; ${hex_chunk}" | bc) > >>> left=$(echo ${hex}|cut -c58-) > >>> echo "[${left}]" > >>> echo > >>> "S-${rev}-${dashes}-${notsure}-${issuer1}-${issuer2}-${issuer3}-${issuer4}-${uid}" > >>> > >>> else > >>> echo $1 > >>> echo "not 41 characters like I was expecting" > >>> fi > >>> > >> > >> Hmm, you could do this instead: > >> > >> #!/bin/bash > >> > >> ## Get users object into $1 with ldbsearch > >> > >> SID=$(echo $1 | grep 'objectSid:' | awk '{print $NF}') > >> echo "$SID" > >> > >> Which would result in something like this: > >> > >> S-1-5-21-1768301897-3342589593-1064908849-1107 > >> > >> Rowland > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/sambaHow about my version (attached) ? Rowland
Not bad but I wanted an ldap version because I was having issues
running ldbsearch as a normal user.
I created the following functions to get it in and out of base64 and hex
swap_endian()
{
local input=$1
local output=""
while [ "${input}" != "" ];do
output="${input:0:2}${output}"
input=${input:2}
done
echo $output
}
base64_to_hex()
{
echo $(echo $1|base64 -d|hexdump -ve '/1 "%02x"')
}
hex2sid()
{
local hex=$1
local rev=$((16#${hex:0:2}))
local dsh=$((16#${hex:2:2}))
local ath=$((16#${hex:4:12}))
local sec=$((16#$(swap_endian ${hex:16:8})))
local is1=$((16#$(swap_endian ${hex:24:8})))
local is2=$((16#$(swap_endian ${hex:32:8})))
local is3=$((16#$(swap_endian ${hex:40:8})))
local uid=$((16#$(swap_endian ${hex:48:8})))
echo "S-${rev}-${ath}-${sec}-${is1}-${is2}-${is3}-${uid}"
}
chars()
{
local output="000000000000$2"
local len=${#output}
echo ${output:${len}-$1}
}
sid2hex()
{
local field=1
local input=$(echo $1|cut -d- -f2-)
local test=""
local output=""
local integer
local hex
while [ "${input}" != "${test}" ];do
integer=$(echo ${input}|cut -d- -f1)
hex=$(printf '%x' ${integer})
if [ "${field}" = "1" ];then
output=$(chars 2 ${hex})
elif [ "${field}" = "2" ];then
output="${output}$(chars 2 ${hex})"
output="${output}$(chars 12 ${hex})"
else
output="${output}$(swap_endian $(chars 8 ${hex}))"
fi
field=$((${field}+1))
test=${input}
input=$(echo ${input}|cut -d- -f2-)
done
echo ${output}
}
hex2base64()
{
local input=$1
local output=""
while [ "${input}" != "" ];do
output="${output}\x${input:0:2}"
input=${input:2}
done
echo -ne "${output}"|base64
}
base64="AQUAAAAAAAUVAAAAoGXPfnhLm1/nfIdwCRwBAA=="
echo ${base64}
ihex=$(base64_to_hex ${base64})
hex2sid ${ihex}
truesid="S-1-5-21-2127521184-1604012920-1887927527-72713"
echo ${truesid}
ohex=$(sid2hex ${truesid})
echo ${ihex}
echo ${ohex}
base64_to_hex ${base64}
hex2base64 ${ohex}
base64=$(hex2base64 ${ohex})
On Sun, Nov 5, 2017 at 12:31 PM, Rowland Penny <rpenny at samba.org>
wrote:> On Sat, 4 Nov 2017 18:42:36 -0600
> Jeff Sadowski <jeff.sadowski at gmail.com> wrote:
>
>> I decided to continue trying the ldap route as well
>>
>> littlehex2int()
>> {
>> hex=$1
>> hex_chunk=$(echo ${hex}|cut -c$2-$3)
>> little=$(echo ${hex_chunk}|awk '{print
>> substr($0,7,2)substr($0,5,2)substr($0,3,2)substr($0,1,2)}')
>> echo "ibase=16; ${little}" | bc
>> }
>>
>> base64_to_sid()
>> {
>> OBJECTSID="$1"
>> hex=$(echo ${OBJECTSID}|base64 -d|od -A n -x -w28 --endian=big|sed
's/
>> //g'|awk '{print toupper($1)}')
>> hex_chunk=$(echo ${hex}|cut -c1-2);
>> rev=$(echo "ibase=16; ${hex_chunk}" | bc)
>> hex_chunk=$(echo ${hex}|cut -c3-4)
>> dashes=$(echo "ibase=16; ${hex_chunk}" | bc)
>> hex_chunk=$(echo ${hex}|cut -c5-16)
>> notsure=$(echo "ibase=16; ${hex_chunk}" | bc)
>> nonuniq=$(littlehex2int ${hex} 17 24)
>> issuer1=$(littlehex2int ${hex} 25 32)
>> issuer2=$(littlehex2int ${hex} 33 40)
>> issuer3=$(littlehex2int ${hex} 41 48)
>> uid=$(littlehex2int ${hex} 49 57)
>> echo
>>
"S-${rev}-${dashes}-${nonuniq}-${issuer1}-${issuer2}-${issuer3}-${uid}"
}
>>
>> On Sat, Nov 4, 2017 at 4:42 PM, Jeff Sadowski
>> <jeff.sadowski at gmail.com> wrote:
>> > . DOMAIN_ADMIN_PASSWD.sh
>> > echo ${PASSWD} | kinit ${ADMIN}@${DOMAIN}
>> > echo -n > /etc/ntfs-3g.usermap
>> > for DOMAIN_USER in $(wbinfo -u);do
>> > RPCLOOKUPID=$(rpcclient -P -c "lookupnames
${DOMAIN_USER}"
>> > ${DOMAIN}) if [ "${RPCLOOKUPID:0:7}" != "ERROR:
" ] &&
>> > [ "${RPCLOOKUPID:0:7}" != "Failed " ];then
>> > SID=$(echo ${RPCLOOKUPID}|awk '{print $2}')
>> > echo ${DOMAIN_USER}::${SID} >> /etc/ntfs-3g.usermap
>> > fi
>> > done
>> > for DOMAIN_GROUP in $(wbinfo -g);do
>> > RPCLOOKUPID=$(rpcclient -P -c "lookupnames
${DOMAIN_GROUP}"
>> > ${DOMAIN}) if [ "${RPCLOOKUPID:0:7}" != "ERROR:
" ] &&
>> > [ "${RPCLOOKUPID:0:7}" != "Failed " ];then
>> > SID=$(echo ${RPCLOOKUPID}|awk '{print $2}')
>> > echo :${DOMAIN_GROUP}:${SID} >> /etc/ntfs-3g.usermap
>> > fi
>> > done
>> >
>> > On Sat, Nov 4, 2017 at 3:21 AM, Rowland Penny via samba
>> > <samba at lists.samba.org> wrote:
>> >> On Fri, 3 Nov 2017 16:25:57 -0600
>> >> Jeff Sadowski <jeff.sadowski at gmail.com> wrote:
>> >>
>> >>> That looks easier
>> >>>
>> >>> I was working on ldap to convert but I'll try
ldb-tools
>> >>>
>> >>> I was off on a bash mission here is what I had so far it
isn't
>> >>> correct so I'll keep working on it
>> >>>
>> >>> #!/bin/bash
>> >>> if [ "$(echo $1|wc -c)" = "41" ];then
>> >>> hex=$(echo $1|base64 -d| od -x -w28 --endian=big|head
-n1|sed
>> >>> 's/^0000000 //'|sed 's/ //g')
>> >>> echo ${hex}
>> >>> hex_chunk=$(echo ${hex}|cut -c1-2);
>> >>> echo ${hex_chunk}
>> >>> rev=$(echo "ibase=16; ${hex_chunk}" | bc)
>> >>> hex_chunk=$(echo ${hex}|cut -c3-4)
>> >>> echo ${hex_chunk}
>> >>> dashes=$(echo "ibase=16; ${hex_chunk}" | bc)
>> >>> hex_chunk=$(echo ${hex}|cut -c5-16)
>> >>> echo ${hex_chunk}
>> >>> notsure=$(echo "ibase=16; ${hex_chunk}" | bc)
>> >>> hex_chunk=$(echo ${hex}|cut -c17-24)
>> >>> echo ${hex_chunk}
>> >>> issuer1=$(echo "ibase=16; ${hex_chunk}" | bc)
>> >>> hex_chunk=$(echo ${hex}|cut -c25-32)
>> >>> echo ${hex_chunk}
>> >>> issuer2=$(echo "ibase=16; ${hex_chunk}" | bc)
>> >>> hex_chunk=$(echo ${hex}|cut -c33-40)
>> >>> echo ${hex_chunk}
>> >>> issuer3=$(echo "ibase=16; ${hex_chunk}" | bc)
>> >>> hex_chunk=$(echo ${hex}|cut -c41-48)
>> >>> echo ${hex_chunk}
>> >>> issuer4=$(echo "ibase=16; ${hex_chunk}" | bc)
>> >>> hex_chunk=$(echo ${hex}|cut -c49-57)
>> >>> uid=$(echo "ibase=16; ${hex_chunk}" | bc)
>> >>> left=$(echo ${hex}|cut -c58-)
>> >>> echo "[${left}]"
>> >>> echo
>> >>>
"S-${rev}-${dashes}-${notsure}-${issuer1}-${issuer2}-${issuer3}-${issuer4}-${uid}"
>> >>>
>> >>> else
>> >>> echo $1
>> >>> echo "not 41 characters like I was expecting"
>> >>> fi
>> >>>
>> >>
>> >> Hmm, you could do this instead:
>> >>
>> >> #!/bin/bash
>> >>
>> >> ## Get users object into $1 with ldbsearch
>> >>
>> >> SID=$(echo $1 | grep 'objectSid:' | awk '{print
$NF}')
>> >> echo "$SID"
>> >>
>> >> Which would result in something like this:
>> >>
>> >> S-1-5-21-1768301897-3342589593-1064908849-1107
>> >>
>> >> Rowland
>> >>
>> >> --
>> >> To unsubscribe from this list go to the following URL and read
the
>> >> instructions: https://lists.samba.org/mailman/options/samba
>
> How about my version (attached) ?
>
> Rowland
On Sun, 5 Nov 2017 16:14:33 -0700 Jeff Sadowski <jeff.sadowski at gmail.com> wrote:> Not bad but I wanted an ldap version because I was having issues > running ldbsearch as a normal user. >You are probably using the wrong syntax ;-) you can use use a username and password with: ldbsearch -H ldap://member1.samdom.example.com -U rowland%xxxxxxxxxx -b DC=samdom,DC=example,DC=com -s sub '(&(objectClass=user)(!(objectClass=computer))(sAMAccountName=*))' sAMAccountName Where 'xxxxxxxxxx' is the users password. or with kerberos (provided the user has a valid ticket): ldbsearch -H ldap://member1.samdom.example.com -k yes --krb5-ccache=krb5cc_xxxxx -b DC=samdom,DC=example,DC=com -s sub '(&(objectClass=user)(!(objectClass=computer))(sAMAccountName=*))' sAMAccountName Where 'krb5cc_xxxxx' is the users ticket in /tmp/ Rowland
On Sun, 5 Nov 2017 16:14:33 -0700 Jeff Sadowski <jeff.sadowski at gmail.com> wrote:> Not bad but I wanted an ldap version because I was having issues > running ldbsearch as a normal user. >I had another thought, why am I reinventing the wheel, so came up with this: #!/bin/bash echo "#######################################################" echo "# #" echo "# Please Wait whilst Usermap is created. #" echo "# #" echo "#######################################################" ## Remove any existing usermap if [ -f /tmp/ntfs-3g.usermap ]; then rm -f /tmp/ntfs-3g.usermap fi WBINFO=$(which wbinfo) if [ -z "${WBINFO}" ]; then echo echo "Cannot find 'wbinfo', is it installed?" echo "Cannot continue...Exiting" exit 1 fi ## Get users ADUSERS=$(${WBINFO} -u) ## Get groups ADGROUPS=$(${WBINFO} -g) while IFS= read -r line do SID=$(${WBINFO} -n "$line" | awk '{print $1}') echo "$line::$SID" >> /tmp/ntfs-3g.usermap done <<< "$ADUSERS" while IFS= read -r line do SID=$(${WBINFO} -n "$line" | awk '{print $1}') echo ":$line:$SID" >> /tmp/ntfs-3g.usermap done <<< "$ADGROUPS" if [ -f /tmp/ntfs-3g.usermap ]; then echo echo "Usermap created in /tmp/ntfs-3g.usermap" echo fi exit 0 Anybody can run this, the only problem was '/etc/', only 'root' can write into this directory, so I used '/tmp/' instead. Rowland