[Samba] Samba4: error in schema?
Hi There seems to be a discrepancy in the s4 schema concerning security groups. Domain Users comes with gidNumber: 100. This is however contrary to what the schema allows. You can show this as follows: Create a new group. samba-tool group add mygroup. Use phpldapadmin to add the gidNumber attribute. There is an error because gidNumber is provided by the posixGroup class and that objectclass is not present by default. No problem. We add objectClass: posixGroup and then we can add gidNumber: xxx just fine. This however throws up another error in that mygroup is now not a security group but a posix group and the ability to view and manipulate group members is not available in Active Directory Computers and Users (ADCU). We made the folllowing observations: 1. The members tabs are missing from mygroup properties in ADCU 2. you can still use samba-tool group addmembers to manipulate the groups 3. you can still select and change primary group for a user in ADCU 4. you can add users to the group under phpldapadmin but the users who are already members are not displayed. An error is however correctly displayed if you try to add a user who is already a member. 5. You can still manipulate the posixGroup as if it were a security group, set acl's and permissions etc from the security tab of a file or folder. 6. You can use a big hammer to add attributes that you should not be able to add. e.g. you can add gidNumber without the objectClass (which supplies gidNumber) being present using ldapmodify or ldbmodify. 7. posixAccount and its associated attributes work exactly as advertised in the schema. Conclusion: This is simply an inconvenience. Everything works as expected except being able to view the members that are in a group either in ADCU or phpldapadmin _after_ you have added objectClass: posixGroup to it. Why does adding the posixGroup Class knock out the ability to be able to view group membership? Is this an error in the posixGroup schema? Is it an aim that s4 be an _exact_ replacement for m$ AD? Is this the schema that is used? from: MS-AD_Schema_2K8_R2_Classes, under /usr/local/samba/share/setup/ad-schema cn: PosixAccount ldapDisplayName: posixAccount governsId: 1.3.6.1.1.1.2.0 objectClassCategory: 3 rdnAttId: uid subClassOf: top mayContain: uid, cn, uidNumber, gidNumber, unixHomeDirectory,homeDirectory, userPassword, unixUserPassword, loginShell, gecos,description schemaIdGuid:ad44bb41-67d5-4d88-b575-7b20674e76d8 defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU) defaultHidingValue: TRUE systemOnly: FALSE defaultObjectCategory: CN=PosixAccount,CN=Schema,CN=Configuration,RootDomainDN cn: PosixGroup ldapDisplayName: posixGroup governsId: 1.3.6.1.1.1.2.2 objectClassCategory: 3 rdnAttId: cn subClassOf: top mayContain: cn, userPassword, unixUserPassword, description,gidNumber, memberUid schemaIdGuid:2a9350b8-062c-4ed0-9903-dde10d06deba defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU) defaultHidingValue: TRUE systemOnly: FALSE defaultObjectCategory: CN=PosixGroup,CN=Schema,CN=Configuration,RootDomainDN There are full details of what we have tried with screenshots in the latter part of this bugzilla: https://bugzilla.samba.org/show_bug.cgi?id=8635 Please let us know if there is anything we can test. Cheers, Steve (Could someone fwd to samba-tecnical?) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] how to allow ISC dhcpd to add/update entries to bind9 with bind_dlz (samba4)
Am 17.03.2012 21:06, schrieb Matthieu Patou: On 03/17/2012 10:00 AM, Andreas Oster wrote: Hello all, I have set up a samba4 server with bind9 and the bind_dlz module. Everything is working as it should but now I need to allow the dhcp server to add entries to the forwarding zone. Has anybody implemented such a configuration ? Can this be done with the kerberos DNS dynamic update configuration. I had it working with flat file backend. I think that the way dhcp and bind do their DDNS is different form the way windows do it's DDNS, as far as I know dlz_plugin only support the later one so far. I want to achieve the following: 1) allow non-Windows machines (printers, ILO ...) to be added by dhcpd 2) allow Windows machines (joined to AD) to update their own entries 2 - already works with the configuration from samba wiki I put our DNS experts in direct copy maybe then can advise you better than I. Hello Mattieu, thank you for you answer. I searched the web allot, but the only useful stuff I found was a script by Michael Kuron which has been slightly modified by Charles Tryon but I have no clue how to integrate this with bind9 dlz, see: http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/ It would be great if someone could help me with the DDNS setup. best regards Andreas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] how to allow ISC dhcpd to add/update entries to bind9 with bind_dlz (samba4)
On 17/03/12 18:00, Andreas Oster wrote: I want to achieve the following: 1) allow non-Windows machines (printers, ILO ...) to be added by dhcpd 2) allow Windows machines (joined to AD) to update their own entries 2 - already works with the configuration from samba wiki Thank you for your kind help best regards Andreas Hi I'm not sure if his is what you mean but we have a lan of windows and linux clients under s4. Both win and Linux clients get their IP via dhcp. You can see the Kerberos dialogue reveal the IP when the box first connects. It is a different IP after each boot. So, if Linux counts as non windows, then yes, it works. We did nothing apart from adding the dlz stuff to bind. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] how to allow ISC dhcpd to add/update entries to bind9 with bind_dlz (samba4)
On Sun, Mar 18, 2012 at 11:19 AM, steve st...@steve-ss.com wrote: On 17/03/12 18:00, Andreas Oster wrote: I want to achieve the following: 1) allow non-Windows machines (printers, ILO ...) to be added by dhcpd 2) allow Windows machines (joined to AD) to update their own entries 2 - already works with the configuration from samba wiki Thank you for your kind help best regards Andreas Hi I'm not sure if his is what you mean but we have a lan of windows and linux clients under s4. Both win and Linux clients get their IP via dhcp. You can see the Kerberos dialogue reveal the IP when the box first connects. It is a different IP after each boot. So, if Linux counts as non windows, then yes, it works. We did nothing apart from adding the dlz stuff to bind. Cheers, Steve Unfortunately, this is a problematic configuration for public encryption key systems, namely HTTPS and SSH servers. In particular, there's nothing like two SSH servers (namely most Linux systems) migrating to the same IP address at differents to cause conniptions for the SSH clients who shriek AAA!!! I HAVE MISMATCHED PUBLIC HOSTKEYS FOR THAT ADDRESS AND NO TOOL EXCEPT YOUR MANUAL TEXT EDITOR TO CLEAR THEM!!! WAILL!!! SH-R-I-E-K-K-K The usual solution to this is to provide DHCP reservations with stable IP addresses for all available hosts. This is triviial with ISC DHCP, and requires manual intervention or some very clever scripting with AD based DHCP. It's also why it's often handy to put the vaguely stable Linux hosts in their own VLAN or address range: it makes the DHCP reservation management easier. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] how to allow ISC dhcpd to add/update entries to bind9 with bind_dlz (samba4)
Am 18.03.2012 16:19, schrieb steve: On 17/03/12 18:00, Andreas Oster wrote: I want to achieve the following: 1) allow non-Windows machines (printers, ILO ...) to be added by dhcpd 2) allow Windows machines (joined to AD) to update their own entries 2 - already works with the configuration from samba wiki Thank you for your kind help best regards Andreas Hi I'm not sure if his is what you mean but we have a lan of windows and linux clients under s4. Both win and Linux clients get their IP via dhcp. You can see the Kerberos dialogue reveal the IP when the box first connects. It is a different IP after each boot. So, if Linux counts as non windows, then yes, it works. We did nothing apart from adding the dlz stuff to bind. Cheers, Steve Hello Steve, maybe I did not understand the concept behind this secure dynamic DNS stuff between samba4 adn bind9 with bind_dlz module. I thought that the following bind9 config ( from samba4 howto) only allows principal dns-sambaserver to add/remove/modify DNS entries options { [...] tkey-gssapi-keytab /usr/local/samba/private/dns.keytab; [...] }; Also, from reading some postings, I got the impression that members of the domain (windows workstations, member servers) should be able to update their DNS entries. But what about network clients that get their IP via DHCP and which have no machine entry in the AD ? How can their names be added to the bind9 database dynamically ? How can I enable the dhcp daemon on another linux server to update the entries for these network clients ? Thank you for your kind help best regards Andreas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
autobuild: intermittent test failure detected
The autobuild test system has detected an intermittent failing test in the current master tree. The autobuild log of the failure is available here: http://git.samba.org/autobuild.flakey/2012-03-18-1627/flakey.log The samba3 build logs are available here: http://git.samba.org/autobuild.flakey/2012-03-18-1627/samba3.stderr http://git.samba.org/autobuild.flakey/2012-03-18-1627/samba3.stdout The source4 build logs are available here: http://git.samba.org/autobuild.flakey/2012-03-18-1627/samba4.stderr http://git.samba.org/autobuild.flakey/2012-03-18-1627/samba4.stdout The top commit at the time of the failure was: commit eeec0d925e3cc9bb33ed544815904f31c6c9b9ed Author: Matthieu Patou m...@matws.net Date: Sat Mar 17 00:19:40 2012 -0700 upgrade provision didn't run findprovisionrange anymore Autobuild-User: Matthieu Patou m...@samba.org Autobuild-Date: Sat Mar 17 09:51:46 CET 2012 on sn-devel-104
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via ee0e1ca s4:selftest: add test for samba-tool group list via 704f068 s4:samba-tool: add simple command group list via f4458a5 s4:selftest: add a new testsuite for the samba-tool group command from eeec0d9 upgrade provision didn't run findprovisionrange anymore http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit ee0e1ca5d8bbd03be5df23ecce504115e2e5012f Author: Michael Adam ob...@samba.org Date: Sun Mar 18 23:40:18 2012 +0100 s4:selftest: add test for samba-tool group list Autobuild-User: Michael Adam ob...@samba.org Autobuild-Date: Mon Mar 19 02:30:39 CET 2012 on sn-devel-104 commit 704f0683f0d9e9ec9b1270b621096cfc238af7e0 Author: Michael Adam ob...@samba.org Date: Thu Mar 8 22:39:24 2012 +0100 s4:samba-tool: add simple command group list commit f4458a5cef9b80e81aab598fc6095033111e5fa1 Author: Michael Adam ob...@samba.org Date: Sun Mar 18 22:19:46 2012 +0100 s4:selftest: add a new testsuite for the samba-tool group command --- Summary of changes: source4/scripting/python/samba/netcmd/group.py | 33 + .../python/samba/tests/samba_tool/group.py | 150 source4/selftest/tests.py |1 + 3 files changed, 184 insertions(+), 0 deletions(-) create mode 100644 source4/scripting/python/samba/tests/samba_tool/group.py Changeset truncated at 500 lines: diff --git a/source4/scripting/python/samba/netcmd/group.py b/source4/scripting/python/samba/netcmd/group.py index 3d5c42e..004307b 100644 --- a/source4/scripting/python/samba/netcmd/group.py +++ b/source4/scripting/python/samba/netcmd/group.py @@ -260,6 +260,38 @@ Example2 shows how to remove a single user account, User2, from the supergroup A raise CommandError('Failed to remove members %s from group %s' % (listofmembers, groupname), e) self.outf.write(Removed members from group %s\n % groupname) +class cmd_group_list(Command): +List all groups + +synopsis = %prog [options] + +takes_options = [ +Option(-H, --URL, help=LDB URL for database or target server, type=str, + metavar=URL, dest=H), +] + +takes_optiongroups = { +sambaopts: options.SambaOptions, +credopts: options.CredentialsOptions, +versionopts: options.VersionOptions, +} + +def run(self, sambaopts=None, credopts=None, versionopts=None, H=None): +lp = sambaopts.get_loadparm() +creds = credopts.get_credentials(lp, fallback_machine=True) + +samdb = SamDB(url=H, session_info=system_session(), +credentials=creds, lp=lp) + +domain_dn = samdb.domain_dn() +res = samdb.search(domain_dn, scope=ldb.SCOPE_SUBTREE, +expression=((objectClass=group)), +attrs=[samaccountname]) +if (len(res) == 0): +return + +for msg in res: +self.outf.write(%s\n % msg.get(samaccountname, idx=0)) class cmd_group(SuperCommand): Group management @@ -269,3 +301,4 @@ class cmd_group(SuperCommand): subcommands[delete] = cmd_group_delete() subcommands[addmembers] = cmd_group_add_members() subcommands[removemembers] = cmd_group_remove_members() +subcommands[list] = cmd_group_list() diff --git a/source4/scripting/python/samba/tests/samba_tool/group.py b/source4/scripting/python/samba/tests/samba_tool/group.py new file mode 100644 index 000..be10716 --- /dev/null +++ b/source4/scripting/python/samba/tests/samba_tool/group.py @@ -0,0 +1,150 @@ +# Unix SMB/CIFS implementation. +# Copyright (C) Michael Adam 2012 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# + +import os +import time +import ldb +from samba.tests.samba_tool.base import SambaToolCmdTest +from samba import ( +nttime2unix, +dsdb +) + +class GroupCmdTestCase(SambaToolCmdTest): +Tests for samba-tool group subcommands +groups = [] +samdb = None + +def setUp(self): +super(GroupCmdTestCase, self).setUp() +self.samdb = self.getSamDB(-H, ldap://%s; % os.environ[DC_SERVER], +-U%s%%%s % (os.environ[DC_USERNAME], os.environ[DC_PASSWORD])) +