Vincent Le Toux
2020-Oct-12 11:57 UTC
[Samba] Lookup sid with libsmbclient (invoked from c# on mono)
Thanks Aur?lien Can you point to me how I can start LDAP connection using winbind ? I'm using ldap_simple_bind so far so there is no use of winbind in it. I'll be happy also if you can point me to the winbind API where you can input login / password br Vincent Le lun. 12 oct. 2020 ? 11:37, Aur?lien Aptel <aaptel at suse.com> a ?crit :> Hi Vincent, > > If you want to lookup a SID from a remote Linux client I believe you > will have to authenticate to the server. Assuming the client is joined > to the domain and has winbind running, you can use libwbclient > > > https://gitlab.com/samba-team/devel/samba/blob/master/nsswitch/libwbclient/wbclient.h > > * wbcLookupName() will do domain/name => SID > * wbcLookupSid() will do SID => domain/name > > If you are not joined or don't have the winbind daemon configured and > running, I guess there might be a solution by passing credentials, > doing NTLM authentication and some direct RPC calls, but I'm not > familiar with this part of samba. > > Cheers, > -- > Aur?lien Aptel / SUSE Labs Samba Team > GPG: 1839 CB5F 9F5B FB9B AA97 8C99 03C8 A49B 521B D5D3 > SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 N?rnberg, DE > GF: Felix Imend?rffer, Mary Higgins, Sri Rasiah HRB 247165 (AG M?nchen) >-- --- Vincent
Rowland penny
2020-Oct-12 12:06 UTC
[Samba] Lookup sid with libsmbclient (invoked from c# on mono)
On 12/10/2020 12:57, Vincent Le Toux via samba wrote:> Thanks Aur?lien > > Can you point to me how I can start LDAP connection using winbind ? > I'm using ldap_simple_bind so far so there is no use of winbind in it. > > I'll be happy also if you can point me to the winbind API where you can > input login / passwordI have no idea just what you are hoping to achieve, but it is seemingly possible without authentication as 'wbinfo -n ACCOUNT_NAME' returns the accounts SID. So try looking at the wbinfo code. Rowland
Vincent Le Toux
2020-Oct-12 13:09 UTC
[Samba] Lookup sid with libsmbclient (invoked from c# on mono)
I'm trying to port PingCastle (which is an AD audit tool - https://www.pingcastle.com/download) from Windows to Linux. The program being written in c#, I've no other solution than calling native libraries. (the mono framework is missing critical components) It uses SMB / LDAP / RPC calls to collect its information. Here is the current state: LDAP: openldap with simplebind (no benefit yet of winbind) => OK RPC: smbclient for finding a DC, work in progress to resolve SID (found in security descriptors) => WIP SMB: not tested yet => WIP Right now, I'm stuck at resolving SID and I'm looking for a practical solution. br Vincent Le lun. 12 oct. 2020 ? 14:06, Rowland penny via samba <samba at lists.samba.org> a ?crit :> On 12/10/2020 12:57, Vincent Le Toux via samba wrote: > > Thanks Aur?lien > > > > Can you point to me how I can start LDAP connection using winbind ? > > I'm using ldap_simple_bind so far so there is no use of winbind in it. > > > > I'll be happy also if you can point me to the winbind API where you can > > input login / password > > I have no idea just what you are hoping to achieve, but it is seemingly > possible without authentication as 'wbinfo -n ACCOUNT_NAME' returns the > accounts SID. So try looking at the wbinfo code. > > Rowland > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- --- Vincent
Aurélien Aptel
2020-Oct-12 15:25 UTC
[Samba] Lookup sid with libsmbclient (invoked from c# on mono)
Rowland penny via samba <samba at lists.samba.org> writes:> I have no idea just what you are hoping to achieve, but it is seemingly > possible without authentication as 'wbinfo -n ACCOUNT_NAME' returns the > accounts SID. So try looking at the wbinfo code.wbinfo is talking to winbind which itself is talking to the AD. In this scenario the client previously joined (authenticated). What Vincent is after I think is a simple standalone way to query sid/names for his app to use that doesn't require seting up whole domain member. The rpcclient cli tool can do it. You can call the cli tool from your app (.110 is my AD ip, you can use hostnames too): $ rpcclient -U administrator%mypassword -c 'lookupnames user1' //192.168.2.110 user1 S-1-5-21-596735176-1287999152-3436313279-1104 (User: 1) $ rpcclient -U administrator%mypassword -c 'lookupsids S-1-5-21-596735176-1287999152-3436313279-1104' //192.168.2.110 S-1-5-21-596735176-1287999152-3436313279-1104 NUC\user1 (1) ...Or copy the code (note that it is GPL though): https://gitlab.com/samba-team/devel/samba/-/blob/master/source3/rpcclient/cmd_lsarpc.c#L391 Cheers, -- Aur?lien Aptel / SUSE Labs Samba Team GPG: 1839 CB5F 9F5B FB9B AA97 8C99 03C8 A49B 521B D5D3 SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 N?rnberg, DE GF: Felix Imend?rffer, Mary Higgins, Sri Rasiah HRB 247165 (AG M?nchen)