On 18/07/2020 14:47, RhineDevil wrote:> Sat, 18 Jul 2020 14:41:31 +0100 Rowland penny via samba <samba at lists.samba.org>: >> On 18/07/2020 14:30, RhineDevil wrote: >>> Sat, 18 Jul 2020 14:19:25 +0100 Rowland penny via samba <samba at lists.samba.org>: >>>> On 18/07/2020 13:52, RhineDevil wrote: >>>>> Fri, 17 Jul 2020 19:44:37 +0100 Rowland penny via samba <samba at lists.samba.org>: >>>>>> On 17/07/2020 19:31, RhineDevil via samba wrote: >>>>>>> And by that I mean, where are the dbs, what should I rm -rf? >>>>>> On Debian just remove /var/lib/samba and /var/cache/samba >>>>>>> By the way how do I obtain current machine netbios name? >>>>>> Depends on which netbios name, if you are referring to the one that is >>>>>> in smb.conf 'netbios name = ?????', that is just the short hostname in >>>>>> uppercase. If you are referring to the netbios domain name (aka >>>>>> workgroup) then you can find this with wbinfo: >>>>>> >>>>>> wbinfo --own-domain >>>>>> >>>>>> Rowland >>>>>> >>>>> I tried to add ypServ30 using ldapi socket "ldapi://%2Fvar%2Flib%2Fsamba%2Fprivate%2Fldap_priv%2Fldapi, it said >>>>> >>>>> `ERR: insufficient access rights : "LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS <acl: unable to get access to CN=ypServ30,CN=RpcServices,CN=System,DC=mydomain,DC=mytld> <>" on DN CN=ypServ30,CN=RpcServices,CN=System,DC=mydomain,DC=mytld at block before line 5` >>>>> >>>>> Shouldn't give me access by default if I'm using the private system socket? >>>> No, you still need to authenticate as a user with the required >>>> permissions e.g. Administrator >>>> >>>> Also, as you are trying to update the schema, you will need to add >>>> '/--option="dsdb:schema update allowed"=true' to the ldbmodify command/ >>>> >>>> /Rowland/ >>>> >>> Since I'm (g)root how could I avoid inputting any password at all? >>> Should be possible since samba-tool never asks you a password as root >> Then do what samba-tool does, fall back to the computers kerberos ticket >> and add '-P' to the ldbmodify command >>> Also what's the point of having a more private socket in /var/lib/samba/private/ldap_priv/ldapi if it asks auth credential like the "less private" socket /var/lib/samba/private/ldapi? >> Even more security ;-) >> >> Rowland >> > I've already added -P to ldbmodify, what am I missing, how should I do that?Sorry, I realised after I posted that, it only works for searching, you will have to authenticate, this is nothing to do with Samba, it is a Windows thing, anonymous searches/changes are not allowed. Rowland
Sat, 18 Jul 2020 14:53:26 +0100 Rowland penny via samba <samba at lists.samba.org>:> On 18/07/2020 14:47, RhineDevil wrote: > > Sat, 18 Jul 2020 14:41:31 +0100 Rowland penny via samba <samba at lists.samba.org>: > >> On 18/07/2020 14:30, RhineDevil wrote: > >>> Sat, 18 Jul 2020 14:19:25 +0100 Rowland penny via samba <samba at lists.samba.org>: > >>>> On 18/07/2020 13:52, RhineDevil wrote: > >>>>> Fri, 17 Jul 2020 19:44:37 +0100 Rowland penny via samba <samba at lists.samba.org>: > >>>>>> On 17/07/2020 19:31, RhineDevil via samba wrote: > >>>>>>> And by that I mean, where are the dbs, what should I rm -rf? > >>>>>> On Debian just remove /var/lib/samba and /var/cache/samba > >>>>>>> By the way how do I obtain current machine netbios name? > >>>>>> Depends on which netbios name, if you are referring to the one that is > >>>>>> in smb.conf 'netbios name = ?????', that is just the short hostname in > >>>>>> uppercase. If you are referring to the netbios domain name (aka > >>>>>> workgroup) then you can find this with wbinfo: > >>>>>> > >>>>>> wbinfo --own-domain > >>>>>> > >>>>>> Rowland > >>>>>> > >>>>> I tried to add ypServ30 using ldapi socket "ldapi://%2Fvar%2Flib%2Fsamba%2Fprivate%2Fldap_priv%2Fldapi, it said > >>>>> > >>>>> `ERR: insufficient access rights : "LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS <acl: unable to get access to CN=ypServ30,CN=RpcServices,CN=System,DC=mydomain,DC=mytld> <>" on DN CN=ypServ30,CN=RpcServices,CN=System,DC=mydomain,DC=mytld at block before line 5` > >>>>> > >>>>> Shouldn't give me access by default if I'm using the private system socket? > >>>> No, you still need to authenticate as a user with the required > >>>> permissions e.g. Administrator > >>>> > >>>> Also, as you are trying to update the schema, you will need to add > >>>> '/--option="dsdb:schema update allowed"=true' to the ldbmodify command/ > >>>> > >>>> /Rowland/ > >>>> > >>> Since I'm (g)root how could I avoid inputting any password at all? > >>> Should be possible since samba-tool never asks you a password as root > >> Then do what samba-tool does, fall back to the computers kerberos ticket > >> and add '-P' to the ldbmodify command > >>> Also what's the point of having a more private socket in /var/lib/samba/private/ldap_priv/ldapi if it asks auth credential like the "less private" socket /var/lib/samba/private/ldapi? > >> Even more security ;-) > >> > >> Rowland > >> > > I've already added -P to ldbmodify, what am I missing, how should I do that? > > Sorry, I realised after I posted that, it only works for searching, you > will have to authenticate, this is nothing to do with Samba, it is a > Windows thing, anonymous searches/changes are not allowed. > > Rowland >Thanks for the clarification But then how does samba-tool make changes without having to authenticate? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 833 bytes Desc: Firma digitale OpenPGP URL: <http://lists.samba.org/pipermail/samba/attachments/20200718/16b1601b/attachment.sig>
On 18/07/2020 15:19, RhineDevil wrote:> Sat, 18 Jul 2020 14:53:26 +0100 Rowland penny via samba <samba at lists.samba.org>: >> On 18/07/2020 14:47, RhineDevil wrote: >>> Sat, 18 Jul 2020 14:41:31 +0100 Rowland penny via samba <samba at lists.samba.org>: >>>> On 18/07/2020 14:30, RhineDevil wrote: >>>>> Sat, 18 Jul 2020 14:19:25 +0100 Rowland penny via samba <samba at lists.samba.org>: >>>>>> On 18/07/2020 13:52, RhineDevil wrote: >>>>>>> Fri, 17 Jul 2020 19:44:37 +0100 Rowland penny via samba <samba at lists.samba.org>: >>>>>>>> On 17/07/2020 19:31, RhineDevil via samba wrote: >>>>>>>>> And by that I mean, where are the dbs, what should I rm -rf? >>>>>>>> On Debian just remove /var/lib/samba and /var/cache/samba >>>>>>>>> By the way how do I obtain current machine netbios name? >>>>>>>> Depends on which netbios name, if you are referring to the one that is >>>>>>>> in smb.conf 'netbios name = ?????', that is just the short hostname in >>>>>>>> uppercase. If you are referring to the netbios domain name (aka >>>>>>>> workgroup) then you can find this with wbinfo: >>>>>>>> >>>>>>>> wbinfo --own-domain >>>>>>>> >>>>>>>> Rowland >>>>>>>> >>>>>>> I tried to add ypServ30 using ldapi socket "ldapi://%2Fvar%2Flib%2Fsamba%2Fprivate%2Fldap_priv%2Fldapi, it said >>>>>>> >>>>>>> `ERR: insufficient access rights : "LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS <acl: unable to get access to CN=ypServ30,CN=RpcServices,CN=System,DC=mydomain,DC=mytld> <>" on DN CN=ypServ30,CN=RpcServices,CN=System,DC=mydomain,DC=mytld at block before line 5` >>>>>>> >>>>>>> Shouldn't give me access by default if I'm using the private system socket? >>>>>> No, you still need to authenticate as a user with the required >>>>>> permissions e.g. Administrator >>>>>> >>>>>> Also, as you are trying to update the schema, you will need to add >>>>>> '/--option="dsdb:schema update allowed"=true' to the ldbmodify command/ >>>>>> >>>>>> /Rowland/ >>>>>> >>>>> Since I'm (g)root how could I avoid inputting any password at all? >>>>> Should be possible since samba-tool never asks you a password as root >>>> Then do what samba-tool does, fall back to the computers kerberos ticket >>>> and add '-P' to the ldbmodify command >>>>> Also what's the point of having a more private socket in /var/lib/samba/private/ldap_priv/ldapi if it asks auth credential like the "less private" socket /var/lib/samba/private/ldapi? >>>> Even more security ;-) >>>> >>>> Rowland >>>> >>> I've already added -P to ldbmodify, what am I missing, how should I do that? >> Sorry, I realised after I posted that, it only works for searching, you >> will have to authenticate, this is nothing to do with Samba, it is a >> Windows thing, anonymous searches/changes are not allowed. >> >> Rowland >> > Thanks for the clarification > But then how does samba-tool make changes without having to authenticate?It cheats, it directly modifies sam.ldb Rowland