Rowland penny
2021-Jan-03 18:58 UTC
[Samba] Verify if Samba AD was provisioned with RFC2037
On 03/01/2021 18:33, Marco Shmerykowsky via samba wrote:> > On 2021-01-03 11:38 am, Rowland penny via samba wrote: >> On 03/01/2021 15:35, Marco Shmerykowsky wrote: >>> >>> >>> On 2021-01-03 10:19 am, Rowland penny via samba wrote: >>>> On 03/01/2021 15:05, Marco Shmerykowsky via samba wrote: >>>>> >>>>> On 2021-01-03 9:53 am, Rowland penny via samba wrote: >>>>>> On 03/01/2021 14:32, Marco Shmerykowsky via samba wrote: >>>>>>> Is there a way to confirm whether a samba AD was >>>>>>> provisioned using RFC2307? >>>>>> >>>>>> All that provisioning with '--use-rfc2307' does is to put >>>>>> 'idmap_ldb:use rfc2307' into the first DC's smb.conf (a 'join' >>>>>> doesn't >>>>>> do this) and adds the 'ypServ30.ldif' to AD. The first makes DC's >>>>>> use >>>>>> uidNumber & gidNumber attributes from AD instead of the xidNumber >>>>>> attributes from idmap.ldb. The second makes the Unix attributes tabs >>>>>> work in ADUC, only problem is, they no longer exist ? >>>>>> >>>>>> All of the RFC2307 attributes are in the AD schema by default, >>>>>> even if >>>>>> you provision without '--use-rfc2307'. >>>>>> >>>>>> Rowland >>>>> >>>>> I see.? The reason I ask is that I'm trying to use an extended query >>>>> in a pfsense/openvpn setup and the query seems to fail. I'm fairly >>>>> certain I have the query correct (although I could be wrong). >>>>> >>>>> In googling I came across some discussion that RFC2307 can create >>>>> issues >>>>> with the extended query (https://redmine.pfsense.org/issues/9527) >>>>> >>>> That link seems to refer to IPA and AD is different, For instance you >>>> cannot rely on the 'posix' objectclasses being in AD (in fact anything >>>> that does, is, in my opinion, broken), the 'posix objectclasses are >>>> auxiliary objectclasses of Windows objectclasses and as such are not >>>> required. >>>> >>>> What is your search query and what do you expect the results to be ? >>> >>> my query is -> >>> memberOf=CN=VPN-Users,CN=users,DC=internal,DC=external,DC=com >>> >>> Users who will be allowed access to the VPN are assigned to a >>> security group >>> named "VPN-Users".? I then used Softerra's ldapbrowser >>> (www.ldapadministrator.com) >>> to look at one of the users in the group and pulled the syntax for >>> the "memberof" >>> attribute that listed the VPN-User group. >>> >>> I would expect the extend query to validate a user who is a member >>> of the VPN-Users group. >> >> OK, I do not have a group called 'VPN-Users', but I do have one called >> 'vpnusers', so try this (adapted for your setup): >> >> ldbsearch -H ldap://samdom.example.com -b >> 'dc=samdom,dc=example,dc=com' -s sub >> '(&(memberOf=CN=vpnusers,CN=Users,DC=samdom,DC=example,DC=com)(sAMAccountName=rowland))' >> >> -P >> >> or using ldapsearch: >> >> ldapsearch -H ldap://samdom.example.com -b >> 'dc=samdom,dc=example,dc=com' -s sub >> '(&(memberOf=CN=vpnusers,CN=Users,DC=samdom,DC=example,DC=com)(sAMAccountName=rowland))' >> >> -D 'cn=Administrator,dc=samdom,dc=example,dc=com' -W >> >> Both of them work for myself, but the first one doesn't ask for a >> password. >> >> Rowland > > Using ldbsearch I get the following: > > # Referral > ref: > ldap://internal.external.com/CN=Configuration,DC=internal,DC=external,DC=com > > # Referral > ref: > ldap://internal.externak.com/DC=DomainDnsZones,DC=internal,DC=external,DC=com > > # Referral > ref: > ldap://internal.external.com/DC=ForestDnsZones,DC=nternal,DC=external,DC=com > > # returned 3 records > # 0 entries > # 3 referralsIf I run: ldbsearch -H ldap://samdom.example.com -b 'dc=samdom,dc=example,dc=com' -s sub '(&(objectCategory=person)(objectClass=user)(sAMAccountName=rowland))' -P I get (heavily snipped): # record 1 dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com objectClass: top objectClass: securityPrincipal objectClass: person objectClass: organizationalPerson objectClass: user cn: Rowland Penny sn: Penny ................... sAMAccountName: rowland memberOf: CN=vpnusers,CN=Users,DC=samdom,DC=example,DC=com ......................... distinguishedName: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com # Referral ref: ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com # Referral ref: ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com # Referral ref: ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com # returned 4 records # 1 entries # 3 referrals It doesn't matter whether I run it on a DC or a Unix domain member. Perhaps I should mention that 'samdom.example.com' is the DNS domain and not a FQDN. Rowland
Marco Shmerykowsky
2021-Jan-03 19:52 UTC
[Samba] Verify if Samba AD was provisioned with RFC2037
On 2021-01-03 1:58 pm, Rowland penny via samba wrote:> On 03/01/2021 18:33, Marco Shmerykowsky via samba wrote: >> >> On 2021-01-03 11:38 am, Rowland penny via samba wrote: >>> On 03/01/2021 15:35, Marco Shmerykowsky wrote: >>>> >>>> >>>> On 2021-01-03 10:19 am, Rowland penny via samba wrote: >>>>> On 03/01/2021 15:05, Marco Shmerykowsky via samba wrote: >>>>>> >>>>>> On 2021-01-03 9:53 am, Rowland penny via samba wrote: >>>>>>> On 03/01/2021 14:32, Marco Shmerykowsky via samba wrote: >>>>>>>> Is there a way to confirm whether a samba AD was >>>>>>>> provisioned using RFC2307? >>>>>>> >>>>>>> All that provisioning with '--use-rfc2307' does is to put >>>>>>> 'idmap_ldb:use rfc2307' into the first DC's smb.conf (a 'join' >>>>>>> doesn't >>>>>>> do this) and adds the 'ypServ30.ldif' to AD. The first makes DC's >>>>>>> use >>>>>>> uidNumber & gidNumber attributes from AD instead of the xidNumber >>>>>>> attributes from idmap.ldb. The second makes the Unix attributes >>>>>>> tabs >>>>>>> work in ADUC, only problem is, they no longer exist ? >>>>>>> >>>>>>> All of the RFC2307 attributes are in the AD schema by default, >>>>>>> even if >>>>>>> you provision without '--use-rfc2307'. >>>>>>> >>>>>>> Rowland >>>>>> >>>>>> I see.? The reason I ask is that I'm trying to use an extended >>>>>> query >>>>>> in a pfsense/openvpn setup and the query seems to fail. I'm fairly >>>>>> certain I have the query correct (although I could be wrong). >>>>>> >>>>>> In googling I came across some discussion that RFC2307 can create >>>>>> issues >>>>>> with the extended query (https://redmine.pfsense.org/issues/9527) >>>>>> >>>>> That link seems to refer to IPA and AD is different, For instance >>>>> you >>>>> cannot rely on the 'posix' objectclasses being in AD (in fact >>>>> anything >>>>> that does, is, in my opinion, broken), the 'posix objectclasses are >>>>> auxiliary objectclasses of Windows objectclasses and as such are >>>>> not >>>>> required. >>>>> >>>>> What is your search query and what do you expect the results to be >>>>> ? >>>> >>>> my query is -> >>>> memberOf=CN=VPN-Users,CN=users,DC=internal,DC=external,DC=com >>>> >>>> Users who will be allowed access to the VPN are assigned to a >>>> security group >>>> named "VPN-Users".? I then used Softerra's ldapbrowser >>>> (www.ldapadministrator.com) >>>> to look at one of the users in the group and pulled the syntax for >>>> the "memberof" >>>> attribute that listed the VPN-User group. >>>> >>>> I would expect the extend query to validate a user who is a member >>>> of the VPN-Users group. >>> >>> OK, I do not have a group called 'VPN-Users', but I do have one >>> called >>> 'vpnusers', so try this (adapted for your setup): >>> >>> ldbsearch -H ldap://samdom.example.com -b >>> 'dc=samdom,dc=example,dc=com' -s sub >>> '(&(memberOf=CN=vpnusers,CN=Users,DC=samdom,DC=example,DC=com)(sAMAccountName=rowland))' >>> -P >>> >>> or using ldapsearch: >>> >>> ldapsearch -H ldap://samdom.example.com -b >>> 'dc=samdom,dc=example,dc=com' -s sub >>> '(&(memberOf=CN=vpnusers,CN=Users,DC=samdom,DC=example,DC=com)(sAMAccountName=rowland))' >>> -D 'cn=Administrator,dc=samdom,dc=example,dc=com' -W >>> >>> Both of them work for myself, but the first one doesn't ask for a >>> password. >>> >>> Rowland >> >> Using ldbsearch I get the following: >> >> # Referral >> ref: >> ldap://internal.external.com/CN=Configuration,DC=internal,DC=external,DC=com >> >> # Referral >> ref: >> ldap://internal.externak.com/DC=DomainDnsZones,DC=internal,DC=external,DC=com >> >> # Referral >> ref: >> ldap://internal.external.com/DC=ForestDnsZones,DC=nternal,DC=external,DC=com >> >> # returned 3 records >> # 0 entries >> # 3 referrals > > If I run: > > ldbsearch -H ldap://samdom.example.com -b > 'dc=samdom,dc=example,dc=com' -s sub > '(&(objectCategory=person)(objectClass=user)(sAMAccountName=rowland))' > -P > > I get (heavily snipped): > > # record 1 > dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com > objectClass: top > objectClass: securityPrincipal > objectClass: person > objectClass: organizationalPerson > objectClass: user > cn: Rowland Penny > sn: Penny > ................... > sAMAccountName: rowland > memberOf: CN=vpnusers,CN=Users,DC=samdom,DC=example,DC=com > ......................... > distinguishedName: CN=Rowland > Penny,CN=Users,DC=samdom,DC=example,DC=com > > # Referral > ref: > ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com > > # Referral > ref: > ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com > > # Referral > ref: > ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com > > # returned 4 records > # 1 entries > # 3 referrals > > It doesn't matter whether I run it on a DC or a Unix domain member. > > Perhaps I should mention that 'samdom.example.com' is the DNS domain > and not a FQDN. > > RowlandThe FQDN is my test case is samba_machine.internal.external.com. Therefore, I assume I should be replacing samdom.example.com with internal.external.com When I do that I get the following: resolve_lmhosts: Attempting lmhosts lookup for name internal.external.com<0x20> Server ldap/internal.external.com at EXTERNAL.COM is not registered with our KDC: Miscellaneous failure (see text): Server (krbtgt/EXTERNAL .COM at INTERNAL.EXTERNAL.COM) unknown gensec_spnego_create_negTokenInit_step: gssapi_krb5: creating NEG_TOKEN_INIT for ldap/internal.external.com failed (next[ntlmssp]): NT_STATUS_INVAL ID_PARAMETER Got challenge flags: Got NTLMSSP neg_flags=0x62898235 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x62088235 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088235 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088235