On 18/07/2020 15:19, RhineDevil wrote:> Sat, 18 Jul 2020 14:53:26 +0100 Rowland penny via samba <samba at lists.samba.org>: >> On 18/07/2020 14:47, RhineDevil wrote: >>> Sat, 18 Jul 2020 14:41:31 +0100 Rowland penny via samba <samba at lists.samba.org>: >>>> On 18/07/2020 14:30, RhineDevil wrote: >>>>> Sat, 18 Jul 2020 14:19:25 +0100 Rowland penny via samba <samba at lists.samba.org>: >>>>>> On 18/07/2020 13:52, RhineDevil wrote: >>>>>>> Fri, 17 Jul 2020 19:44:37 +0100 Rowland penny via samba <samba at lists.samba.org>: >>>>>>>> On 17/07/2020 19:31, RhineDevil via samba wrote: >>>>>>>>> And by that I mean, where are the dbs, what should I rm -rf? >>>>>>>> On Debian just remove /var/lib/samba and /var/cache/samba >>>>>>>>> By the way how do I obtain current machine netbios name? >>>>>>>> Depends on which netbios name, if you are referring to the one that is >>>>>>>> in smb.conf 'netbios name = ?????', that is just the short hostname in >>>>>>>> uppercase. If you are referring to the netbios domain name (aka >>>>>>>> workgroup) then you can find this with wbinfo: >>>>>>>> >>>>>>>> wbinfo --own-domain >>>>>>>> >>>>>>>> Rowland >>>>>>>> >>>>>>> I tried to add ypServ30 using ldapi socket "ldapi://%2Fvar%2Flib%2Fsamba%2Fprivate%2Fldap_priv%2Fldapi, it said >>>>>>> >>>>>>> `ERR: insufficient access rights : "LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS <acl: unable to get access to CN=ypServ30,CN=RpcServices,CN=System,DC=mydomain,DC=mytld> <>" on DN CN=ypServ30,CN=RpcServices,CN=System,DC=mydomain,DC=mytld at block before line 5` >>>>>>> >>>>>>> Shouldn't give me access by default if I'm using the private system socket? >>>>>> No, you still need to authenticate as a user with the required >>>>>> permissions e.g. Administrator >>>>>> >>>>>> Also, as you are trying to update the schema, you will need to add >>>>>> '/--option="dsdb:schema update allowed"=true' to the ldbmodify command/ >>>>>> >>>>>> /Rowland/ >>>>>> >>>>> Since I'm (g)root how could I avoid inputting any password at all? >>>>> Should be possible since samba-tool never asks you a password as root >>>> Then do what samba-tool does, fall back to the computers kerberos ticket >>>> and add '-P' to the ldbmodify command >>>>> Also what's the point of having a more private socket in /var/lib/samba/private/ldap_priv/ldapi if it asks auth credential like the "less private" socket /var/lib/samba/private/ldapi? >>>> Even more security ;-) >>>> >>>> Rowland >>>> >>> I've already added -P to ldbmodify, what am I missing, how should I do that? >> Sorry, I realised after I posted that, it only works for searching, you >> will have to authenticate, this is nothing to do with Samba, it is a >> Windows thing, anonymous searches/changes are not allowed. >> >> Rowland >> > Thanks for the clarification > But then how does samba-tool make changes without having to authenticate?It cheats, it directly modifies sam.ldb Rowland
Sat, 18 Jul 2020 15:31:36 +0100 Rowland penny via samba <samba at lists.samba.org>:> On 18/07/2020 15:19, RhineDevil wrote: > > Sat, 18 Jul 2020 14:53:26 +0100 Rowland penny via samba <samba at lists.samba.org>: > >> On 18/07/2020 14:47, RhineDevil wrote: > >>> Sat, 18 Jul 2020 14:41:31 +0100 Rowland penny via samba <samba at lists.samba.org>: > >>>> On 18/07/2020 14:30, RhineDevil wrote: > >>>>> Sat, 18 Jul 2020 14:19:25 +0100 Rowland penny via samba <samba at lists.samba.org>: > >>>>>> On 18/07/2020 13:52, RhineDevil wrote: > >>>>>>> Fri, 17 Jul 2020 19:44:37 +0100 Rowland penny via samba <samba at lists.samba.org>: > >>>>>>>> On 17/07/2020 19:31, RhineDevil via samba wrote: > >>>>>>>>> And by that I mean, where are the dbs, what should I rm -rf? > >>>>>>>> On Debian just remove /var/lib/samba and /var/cache/samba > >>>>>>>>> By the way how do I obtain current machine netbios name? > >>>>>>>> Depends on which netbios name, if you are referring to the one that is > >>>>>>>> in smb.conf 'netbios name = ?????', that is just the short hostname in > >>>>>>>> uppercase. If you are referring to the netbios domain name (aka > >>>>>>>> workgroup) then you can find this with wbinfo: > >>>>>>>> > >>>>>>>> wbinfo --own-domain > >>>>>>>> > >>>>>>>> Rowland > >>>>>>>> > >>>>>>> I tried to add ypServ30 using ldapi socket "ldapi://%2Fvar%2Flib%2Fsamba%2Fprivate%2Fldap_priv%2Fldapi, it said > >>>>>>> > >>>>>>> `ERR: insufficient access rights : "LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS <acl: unable to get access to CN=ypServ30,CN=RpcServices,CN=System,DC=mydomain,DC=mytld> <>" on DN CN=ypServ30,CN=RpcServices,CN=System,DC=mydomain,DC=mytld at block before line 5` > >>>>>>> > >>>>>>> Shouldn't give me access by default if I'm using the private system socket? > >>>>>> No, you still need to authenticate as a user with the required > >>>>>> permissions e.g. Administrator > >>>>>> > >>>>>> Also, as you are trying to update the schema, you will need to add > >>>>>> '/--option="dsdb:schema update allowed"=true' to the ldbmodify command/ > >>>>>> > >>>>>> /Rowland/ > >>>>>> > >>>>> Since I'm (g)root how could I avoid inputting any password at all? > >>>>> Should be possible since samba-tool never asks you a password as root > >>>> Then do what samba-tool does, fall back to the computers kerberos ticket > >>>> and add '-P' to the ldbmodify command > >>>>> Also what's the point of having a more private socket in /var/lib/samba/private/ldap_priv/ldapi if it asks auth credential like the "less private" socket /var/lib/samba/private/ldapi? > >>>> Even more security ;-) > >>>> > >>>> Rowland > >>>> > >>> I've already added -P to ldbmodify, what am I missing, how should I do that? > >> Sorry, I realised after I posted that, it only works for searching, you > >> will have to authenticate, this is nothing to do with Samba, it is a > >> Windows thing, anonymous searches/changes are not allowed. > >> > >> Rowland > >> > > Thanks for the clarification > > But then how does samba-tool make changes without having to authenticate? > > It cheats, it directly modifies sam.ldb > > Rowland >It modifies the content of /var/lib/samba/private/sam.ldb.d? how does this folder work? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 833 bytes Desc: Firma digitale OpenPGP URL: <http://lists.samba.org/pipermail/samba/attachments/20200718/056bd13f/attachment.sig>
On 18/07/2020 16:51, RhineDevil wrote:> Sat, 18 Jul 2020 15:31:36 +0100 Rowland penny via samba <samba at lists.samba.org>: >> On 18/07/2020 15:19, RhineDevil wrote: >>> Sat, 18 Jul 2020 14:53:26 +0100 Rowland penny via samba <samba at lists.samba.org>: >>>> On 18/07/2020 14:47, RhineDevil wrote: >>>>> Sat, 18 Jul 2020 14:41:31 +0100 Rowland penny via samba <samba at lists.samba.org>: >>>>>> On 18/07/2020 14:30, RhineDevil wrote: >>>>>>> Sat, 18 Jul 2020 14:19:25 +0100 Rowland penny via samba <samba at lists.samba.org>: >>>>>>>> On 18/07/2020 13:52, RhineDevil wrote: >>>>>>>>> Fri, 17 Jul 2020 19:44:37 +0100 Rowland penny via samba <samba at lists.samba.org>: >>>>>>>>>> On 17/07/2020 19:31, RhineDevil via samba wrote: >>>>>>>>>>> And by that I mean, where are the dbs, what should I rm -rf? >>>>>>>>>> On Debian just remove /var/lib/samba and /var/cache/samba >>>>>>>>>>> By the way how do I obtain current machine netbios name? >>>>>>>>>> Depends on which netbios name, if you are referring to the one that is >>>>>>>>>> in smb.conf 'netbios name = ?????', that is just the short hostname in >>>>>>>>>> uppercase. If you are referring to the netbios domain name (aka >>>>>>>>>> workgroup) then you can find this with wbinfo: >>>>>>>>>> >>>>>>>>>> wbinfo --own-domain >>>>>>>>>> >>>>>>>>>> Rowland >>>>>>>>>> >>>>>>>>> I tried to add ypServ30 using ldapi socket "ldapi://%2Fvar%2Flib%2Fsamba%2Fprivate%2Fldap_priv%2Fldapi, it said >>>>>>>>> >>>>>>>>> `ERR: insufficient access rights : "LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS <acl: unable to get access to CN=ypServ30,CN=RpcServices,CN=System,DC=mydomain,DC=mytld> <>" on DN CN=ypServ30,CN=RpcServices,CN=System,DC=mydomain,DC=mytld at block before line 5` >>>>>>>>> >>>>>>>>> Shouldn't give me access by default if I'm using the private system socket? >>>>>>>> No, you still need to authenticate as a user with the required >>>>>>>> permissions e.g. Administrator >>>>>>>> >>>>>>>> Also, as you are trying to update the schema, you will need to add >>>>>>>> '/--option="dsdb:schema update allowed"=true' to the ldbmodify command/ >>>>>>>> >>>>>>>> /Rowland/ >>>>>>>> >>>>>>> Since I'm (g)root how could I avoid inputting any password at all? >>>>>>> Should be possible since samba-tool never asks you a password as root >>>>>> Then do what samba-tool does, fall back to the computers kerberos ticket >>>>>> and add '-P' to the ldbmodify command >>>>>>> Also what's the point of having a more private socket in /var/lib/samba/private/ldap_priv/ldapi if it asks auth credential like the "less private" socket /var/lib/samba/private/ldapi? >>>>>> Even more security ;-) >>>>>> >>>>>> Rowland >>>>>> >>>>> I've already added -P to ldbmodify, what am I missing, how should I do that? >>>> Sorry, I realised after I posted that, it only works for searching, you >>>> will have to authenticate, this is nothing to do with Samba, it is a >>>> Windows thing, anonymous searches/changes are not allowed. >>>> >>>> Rowland >>>> >>> Thanks for the clarification >>> But then how does samba-tool make changes without having to authenticate? >> It cheats, it directly modifies sam.ldb >> >> Rowland >> > It modifies the content of /var/lib/samba/private/sam.ldb.d? how does this folder work?Just use ldapmodify or ldbmodify or samba-tool. I am not going to help you possibly destroy your DB Rowland