Re: [Samba] samba4 adding an index to sam.ldb
Anyone have a clue as to how I set the fINDEXED attrib? I have an additional attribute in samba4 ldap that I need indexed. - Original Message - From: Bo Kersey b...@vircio.com To: Andrew Bartlett abart...@samba.org Sent: Sunday, September 15, 2013 7:53:49 AM Subject: Re: [Samba] samba4 adding an index to sam.ldb Andrew, I'm not sure where to find that part of the schema... This is what I find for othermailbox dn: CN=Other-Mailbox,CN=Schema,CN=Configuration, objectClass: top objectClass: attributeSchema cn: Other-Mailbox instanceType: 4 whenCreated: 20130913000849.0Z whenChanged: 20130913000849.0Z uSNCreated: 1011 attributeID: 1.2.840.113556.1.4.651 attributeSyntax: 2.5.5.12 isSingleValued: FALSE uSNChanged: 1011 showInAdvancedViewOnly: TRUE adminDisplayName: Other-Mailbox adminDescription: Other-Mailbox oMSyntax: 64 searchFlags: 0 lDAPDisplayName: otherMailbox name: Other-Mailbox objectGUID: bd150920-231c-437c-a5a4-726c2c136708 schemaIDGUID: 0296c123-40da-11d1-a9c0-f80367c1 attributeSecurityGUID: e48d0154-bcf8-11d1-8702-00c04fb96050 systemOnly: FALSE objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration, distinguishedName: CN=Other-Mailbox,CN=Schema,CN=Configuration, And when I grep through the other objects at this level, I don't find an fINDEXED attrib or any /index/i attribs that make sense for that matter. Thanks! Bo - Original Message - From: Andrew Bartlett abart...@samba.org To: Bo Kersey b...@vircio.com Cc: samba@lists.samba.org Sent: Saturday, September 14, 2013 5:46:21 PM Subject: Re: [Samba] samba4 adding an index to sam.ldb On Sat, 2013-09-14 at 09:10 -0500, Bo Kersey wrote: I have a large installation 20k users. We're using samba4 for AD Authentication, and also email address validation. I'm trying to edit the @INDEXLIST in sam.ldb to add an index on otherMailbox to speed up searches (0.05 sec for indexed, vs 2.5 sec for non-indexed searches) I'm finding that when I use ldbedit to do this, it appears to add the additional @IDXATTR. However, when I go back and check via ldbsearch, the attribute is not there. Seems to be failing silently... How do I debug this? We override that list with a list from the fINDEXED attribute in the schema. Just modify that and the new index will be created. I'm also keen to hear more about how you have gone with an installation that large, as there are not many installations as large as yours, and it will help us advise others. Thanks! Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- Bo Kersey VirCIO - managed network solutions 4314 Avenue C Austin, TX 78751 phone: (512)374-0500 If it is free, you are the product. -- Bo Kersey VirCIO - managed network solutions 4314 Avenue C Austin, TX 78751 phone: (512)374-0500 -- Bo Kersey VirCIO - managed network solutions 4314 Avenue C Austin, TX 78751 phone: (512)374-0500 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba4 adding an index to sam.ldb
I have a large installation 20k users. We're using samba4 for AD Authentication, and also email address validation. I'm trying to edit the @INDEXLIST in sam.ldb to add an index on otherMailbox to speed up searches (0.05 sec for indexed, vs 2.5 sec for non-indexed searches) I'm finding that when I use ldbedit to do this, it appears to add the additional @IDXATTR. However, when I go back and check via ldbsearch, the attribute is not there. Seems to be failing silently... How do I debug this? ldbsearch -P -s base -b @INDEXLIST -H sam.ldb # record 1 dn: @INDEXLIST @IDXONE: 1 @IDXVERSION: 2 @IDXATTR: mail @IDXATTR: mSMQLabelEx detail removed for brevity @IDXATTR: msSFU30IsValidContainer distinguishedName: @INDEXLIST # returned 1 records # 1 entries # 0 referrals ldbedit -v -P -s base -b @INDEXLIST -H sam.ldb dn: @INDEXLIST changetype: modify replace: @IDXATTR @IDXATTR: mail @IDXATTR: otherMailbox @IDXATTR: mSMQLabelEx detail removed for brevity @IDXATTR: msSFU30IsValidContainer - # 0 adds 1 modifies 0 deletes wait for indexing to complete Then: ldbsearch -P -s base -b @INDEXLIST -H sam.ldb and it takes a long long time, like it is reindexing again... # record 1 dn: @INDEXLIST @IDXONE: 1 @IDXVERSION: 2 @IDXATTR: mail @IDXATTR: mSMQLabelEx detail removed for brevity @IDXATTR: msSFU30IsValidContainer distinguishedName: @INDEXLIST # returned 1 records # 1 entries # 0 referrals -- Bo Kersey VirCIO - managed network solutions 4314 Avenue C Austin, TX 78751 phone: (512)374-0500 If it is free, you are the product. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 LDAP NTLM password nightly injection
...@polymtl.ca - -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Bo Kersey VirCIO - managed network solutions 4314 Avenue C Austin, TX 78751 phone: (512)374-0500 If it is free, you are the product. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 LDAP NTLM password nightly injection
Duh... got it, nvm... new_userdata = s4_passdb.getsampwnam(jtest) print binascii.hexlify(new_userdata.nt_passwd) And my troubleshooting was required by a typo that I made.. argh! - Original Message - From: Bo Kersey b...@vircio.com To: Luc Lalonde luc.lalo...@polymtl.ca Cc: samba@lists.samba.org, Andrew Bartlett abart...@samba.org Sent: Tuesday, August 13, 2013 11:03:40 AM Subject: Re: [Samba] Samba 4 LDAP NTLM password nightly injection Luc, Very helpful... I'm doing a migration from a very non-standard samba ldap implementation that we can't just migrate. We would like to save the users' passwords though. I'm testing using known password hashes and I'm having trouble authenticating after I change the passwords. How can I extract what is being inserted in to samba4 in order to verify that I'm doing things correctly? Thanks! Bo - Original Message - From: Luc Lalonde luc.lalo...@polymtl.ca To: samba@lists.samba.org Cc: Andrew Bartlett abart...@samba.org Sent: Tuesday, April 9, 2013 11:25:47 AM Subject: Re: [Samba] Samba 4 LDAP NTLM password nightly injection Ok this works: #!/usr/bin/env python import sys sys.path.insert(0, /usr/local/samba/lib64/python2.6/site-packages) sys.path.insert(1, /usr/local/samba/lib/python2.6/site-packages) from samba import Ldb, registry from samba.param import LoadParm from samba.provision import provision, FILL_FULL, ProvisioningError, setsysvolacl from samba.samba3 import passdb from samba.samba3 import param as s3param from samba.dcerpc import lsa, samr, security from samba.dcerpc.security import dom_sid from samba.credentials import Credentials from samba import dsdb from samba.ndr import ndr_pack from samba import unix2nttime # Convert Hex to Byte string def HexToByte( hexStr ): bytes = [] hexStr = ''.join( hexStr.split( ) ) for i in range(0, len(hexStr), 2): bytes.append( chr( int (hexStr[i:i+2], 16 ) ) ) return ''.join( bytes ) # Connect to samba4 backend new_lp_ctx = s3param.get_context() new_lp_ctx.load(/usr/local/samba/etc/smb.conf) new_lp_ctx.set(private dir, /usr/local/samba/private) s4_passdb = passdb.PDB(new_lp_ctx.get(passdb backend)) # Change testuser password new_userdata = s4_passdb.getsampwnam(testuser) new_userdata.nt_passwd = HexToByte(878D8014606CDA29677A44EFA1353FC7) new_userdata.lanman_passwd = HexToByte(552902031BEDE9EFAAD3B435B51404EE) s4_passdb.update_sam_account(new_userdata) I was missing some module paths and the extra info for connecting to the LDB database... Now I just have to generalize this procedure so that I can update the passwords every night like I do with Samba3-LDAP. Andrew, thanks for the pointers. I'm posting this in case it can help someone else. - Original Message - From: Luc Lalonde luc.lalo...@polymtl.ca To: Andrew Bartlett abart...@samba.org Cc: samba@lists.samba.org Sent: Wednesday, March 27, 2013 7:38:05 PM GMT -05:00 US/Canada Eastern Subject: Re: [Samba] Samba 4 LDAP NTLM password nightly injection Hello Andrew, How would I convert the below base16 strings into raw bytes acceptable to this routine? We presently inject the NTLM passwords directly into our LDAP database for Samba3. Also, I can't seem to figure out the argument values for 'passdb.PDB'. I tried 'ldb', 'samba_dsdb'. Thanks for your help! On 2013-03-27, at 6:18 PM, Andrew Bartlett abart...@samba.org wrote: On Tue, 2013-03-26 at 11:10 -0400, Luc Lalonde wrote: Hello Andrew, I'm finally diving into this project... First off, my sysadmin stuff is mostly in Perl. So my Python is rudimentary at best. Here we go anyway... I've looked at the 'upgrade.py' but I can't seem to figure out how to connect to the Samba4 passwd database. In the script I see these lines: ### # Connect to samba4 backend s4_passdb = passdb.PDB(new_lp_ctx.get(passdb backend)) I would appreciate a hint on how to connect to the database please. Where is the 'passdb' object referenced from? Once that's done, from what I understand, I should be able to change the passwords directly: ### # Change foo-user password admin_userdata = s4_passdb.getsampwnam(foo-user) admin_userdata.nt_passwd = 878D8014606CDA29677A44EFA1353FC7 admin_userdata.lanman_passwd = 552902031BEDE9EFAAD3B435B51404EE s4_passdb.update_sam_account(admin_userdata) ### Sort of. Those values
Re: [Samba] oLschema2ldif segfault
So I changed the syntax to 1.3.6.1.4.1.1466.115.121.1.15 so I could process the schema... Now I'd like to manually edit the resultant LDIF so that I can create binary objects Where can I find the attributSyntax and oMSyntax for 1.3.6.1.4.1.1466.115.121.1.5 (binary objects)? Thanks! - Original Message - From: Bo Kersey b...@vircio.com To: Andrew Bartlett abart...@samba.org Sent: Friday, July 12, 2013 7:22:48 AM Subject: Re: [Samba] oLschema2ldif segfault Andrew, So it is the problem with the tool and I should be able to attributes that are binary to the LDIF manually? Thanks! Bo - Original Message - From: Andrew Bartlett abart...@samba.org To: Bo Kersey b...@vircio.com Cc: samba@lists.samba.org, samba-techni...@samba.org Sent: Thursday, July 11, 2013 9:09:32 PM Subject: Re: [Samba] oLschema2ldif segfault On Thu, 2013-07-11 at 13:11 -0500, Bo Kersey wrote: I'm seeing a oLschema2ldif segfault when it comes across attributetypes with syntax '1.3.6.1.4.1.1466.115.121.1.5' that is a BINARY attribute. Is this by design? Can I store binary attributes in samba4 ldap? We need to remove this tool, and someone needs to write a replacement in python. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] oLschema2ldif segfault
I'm seeing a oLschema2ldif segfault when it comes across attributetypes with syntax '1.3.6.1.4.1.1466.115.121.1.5' that is a BINARY attribute. Is this by design? Can I store binary attributes in samba4 ldap? Thanks! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
