Sorin P.
2023-Jan-22 22:21 UTC
[Samba] Delegation of control failure for any built-in Security Principals
It is indeed a Python 2 script and I did a few minor changes to make it work
with Python 3, and it does.
However, that's not the root cause for the write failure.
I still don't understand why SELF can't be selected, considering that on
a domain controller which was created with an older Samba version, the same
exact steps worked flawlessly (including SELF selection).Using that same
procedure I was able to successfully delegate the rights for the users to be
able to write the ssh key attribute.However, on the domain I'm trying the
changes now, was provisioned with samba v4.17, and the wizard + SELF selection
does not work anymore.
Here's the procedure that should be followed immediately after changing the
schema, in order to allow each user to write their own key.As the site is not
live anymore, I've extracted it from my bookmarking application, which also
keeps a snapshot of the page at the time it was added.
https://wetransfer.com/downloads/4217675fba17de45e0910109c2d2edd520230122221324/b3635e87ec6ff0d4eaa91db077207ff220230122221603/5f2798?trk=TRN_TDL_01&utm_campaign=TRN_TDL_01&utm_medium=email&utm_source=sendgrid
Thank you.
On Sunday, January 22, 2023 at 09:51:22 PM GMT+2, Rowland Penny via samba
<samba at lists.samba.org> wrote:
On 22/01/2023 19:39, Sorin P. wrote:> Indeed there is a config file (which I forgot to paste initially). Here
> it is:
> ---------------------------------------------------------
> [ADDC]
> URI=dc.domain.org
> BASE_DN=CN=Users,DC=domain,DC=org
> SSH_KEY_ATTR=sshPublicKey
> LDAP_SERVER=ldap://dc.domain.org:389
> ---------------------------------------------------------
>
> But I don't believe there's any problem with it.
>
> Also here's the procedure that needs to be followed in order to allow
> the self-write rights.
> The live page seems not to be available anymore. Initially was available
> here:
>
https://blog.laslabs.com/2017/04/managing-ssh-keys-stored-in-active-directory/
<https://blog.laslabs.com/2017/04/managing-ssh-keys-stored-in-active-directory/>
>
Just had another thought, because of the date at the top of the script,
it could well be a python2 script, could it just want upgrading to python3 ?
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions:? https://lists.samba.org/mailman/options/samba
Rowland Penny
2023-Jan-23 08:02 UTC
[Samba] Delegation of control failure for any built-in Security Principals
On 22/01/2023 22:21, Sorin P. wrote:> It is indeed a Python 2 script and I did a few minor changes to make it > work with Python 3, and it does. > However, that's not the root cause for the write failure. > > I still don't understand why SELF can't be selected, considering that on > a domain controller which was created with an older Samba version, the > same exact steps worked flawlessly (including SELF selection). > Using that same procedure I was able to successfully delegate the rights > for the users to be able to write the ssh key attribute. > However, on the domain I'm trying the changes now, was provisioned with > samba v4.17, and the wizard + SELF selection does not work anymore.Ah, this is the first time (that I recall) that you have said that it worked previously for you, I thought that you were trying to get it to work for the first time. On that basis, it could be a regression, or it could be the newer Heimdal (did it work on 4.16.x ?), or it could have something to do with the numerous changes that have occurred lately. I suggest you open a bug report. Rowland