samba - Jan 2021 - smbclient help

On 13/01/2021 09:15, jmpatagonia via samba wrote:
> Excellent Rowland, this work, with this from the client we can make a
> script to guest ldap (via memberof property) and do gvfs-mount.
>
> Is it possible to pass to ldapsearch the kerberos ticket (or user id/pass)
> to guest the ldap samba built-in ?
>
> ldapsearch -D "cn=userid,cn=Users,dc=midominio,dc=prueba,dc=ar"
-w "P at ssword"
> -h 192.168.0.165 -p 389 -b
"cn=$1,cn=Users,dc=midominio,dc=prueba,dc=ar" -s
> sub "memberof=*" memberof | grep "memberOf" | sed -e
"s/^memberOf: CN=//"
> -e "s/,CN=Users,DC=midominio,DC=prueba,DC=ar//"
>
> So we can guest the ldap without a prefix user, need to extract the user
> property "memberof" from ldap samba built-in, authenticating via
ldap
> search with the kerberos data or similar.
>
> Regards.

There are numerous ways of doing this, you can use the machine password 
(but this involves using sudo):

sudo ldbsearch -P -H ldap://dc4 -b "cn=users,$(echo "dc=$(hostname
-d)"
| sed 's/\./,dc=/g')" -s sub
'(&(sAMAccountName=rowland)(memberOf=*))'
memberOf | grep "memberOf" | sed -e "s/^memberOf: CN=//" -e 
"s/,CN=Users,$(echo "DC=$(hostname -d)" | sed
's/\./,DC=/g')//"

You can use the users kerberos ticket that should be created when the 
user logs in:

ldbsearch -H ldap://dc4 -b "cn=users,$(echo "dc=$(hostname -d)" |
sed
's/\./,dc=/g')" -s sub
'(&(sAMAccountName=rowland)(memberOf=*))'
memberOf -k yes | grep "memberOf" | sed -e "s/^memberOf:
CN=//" -e
"s/,CN=Users,$(echo "DC=$(hostname -d)" | sed
's/\./,DC=/g')//"

A different way using the users kerberos ticket and samba-tool:

samba-tool group listmembers 'Domain Admins' -H ldap://dc4 -k yes

Rowland

Hello Rowland, when using ldbsearch I have this

ldbsearch -H ldaps://midominio:636 -b
"cn=jcbatman3,cn=Users,dc=prueba,dc=ar" -s sub
'(&(sAMAccountName=jcbatman3)(memberOf=*))' memberOf -k yes

TLS failed to missing cafile /var/lib/samba/private/tls/ca.pem - with 'tls
verify peer = as_strict_as_possible'
Failed to connect to ldap URL 'ldaps://midominio:636' - LDAP client
internal error: NT_STATUS_INVALID_PARAMETER_MIX
Failed to connect to 'ldaps://midominio:636' with backend
'ldaps': (null)
Failed to connect to ldaps://midominio:636 - (null)

Is it possible to disable "tls verify peer" on the client, if not,
what I
can do ?

regards.





El mi?, 13 ene 2021 a las 13:18, Rowland penny via samba (<
samba at lists.samba.org>) escribi?:
> On 13/01/2021 09:15, jmpatagonia via samba wrote:
> > Excellent Rowland, this work, with this from the client we can make a
> > script to guest ldap (via memberof property) and do gvfs-mount.
> >
> > Is it possible to pass to ldapsearch the kerberos ticket (or user
> id/pass)
> > to guest the ldap samba built-in ?
> >
> > ldapsearch -D
"cn=userid,cn=Users,dc=midominio,dc=prueba,dc=ar" -w
> "P at ssword"
> > -h 192.168.0.165 -p 389 -b
"cn=$1,cn=Users,dc=midominio,dc=prueba,dc=ar"
> -s
> > sub "memberof=*" memberof | grep "memberOf" | sed
-e "s/^memberOf: CN=//"
> > -e "s/,CN=Users,DC=midominio,DC=prueba,DC=ar//"
> >
> > So we can guest the ldap without a prefix user, need to extract the
user
> > property "memberof" from ldap samba built-in, authenticating
via ldap
> > search with the kerberos data or similar.
> >
> > Regards.
>
>
> There are numerous ways of doing this, you can use the machine password
> (but this involves using sudo):
>
> sudo ldbsearch -P -H ldap://dc4 -b "cn=users,$(echo
"dc=$(hostname -d)"
> | sed 's/\./,dc=/g')" -s sub
'(&(sAMAccountName=rowland)(memberOf=*))'
> memberOf | grep "memberOf" | sed -e "s/^memberOf:
CN=//" -e
> "s/,CN=Users,$(echo "DC=$(hostname -d)" | sed
's/\./,DC=/g')//"
>
> You can use the users kerberos ticket that should be created when the
> user logs in:
>
> ldbsearch -H ldap://dc4 -b "cn=users,$(echo "dc=$(hostname
-d)" | sed
> 's/\./,dc=/g')" -s sub
'(&(sAMAccountName=rowland)(memberOf=*))'
> memberOf -k yes | grep "memberOf" | sed -e "s/^memberOf:
CN=//" -e
> "s/,CN=Users,$(echo "DC=$(hostname -d)" | sed
's/\./,DC=/g')//"
>
> A different way using the users kerberos ticket and samba-tool:
>
> samba-tool group listmembers 'Domain Admins' -H ldap://dc4 -k yes
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>