Kelly Yeoh

bit of this, bit of that, voila!!

LDB part 4

  • November 22, 2012 3:16 pm

LDB Posts

Much like part 3, this has also been sitting around for quite some time. I can’t even remember what it contains, and really don’t have the energy to review it anymore. If it comes in useful for somebody, my work here is done.

I have many other draft posts in here, although none completed to this level. This may be my last samba related post. I hope it has been if help to someone.

Partitions

Partitions within LDB are the equivalent of Naming Contexts within LDAP/Active Directory. These are used to create a separation of data used for different purposes.

When the –cross-ncs control is used on a query, it allows the query to search data across multiple partitions (where the search would generally default to the SAMBA partition).

Returning back to our earlier example of the rootDSE, we can see various pieces of information in there on Naming Contexts (or partitions):

kelly@shiny:~/work/samba/prefix.s4$ bin/ldbsearch -H ldap://localhost -s base -b ''
# record 1
dn:
configurationNamingContext: CN=Configuration,DC=samba,DC=somewoman,DC=com
defaultNamingContext: DC=samba,DC=somewoman,DC=com
rootDomainNamingContext: DC=samba,DC=somewoman,DC=com
schemaNamingContext: CN=Schema,CN=Configuration,DC=samba,DC=somewoman,DC=com

namingContexts: DC=samba,DC=somewoman,DC=com
namingContexts: CN=Configuration,DC=samba,DC=somewoman,DC=com
namingContexts: CN=Schema,CN=Configuration,DC=samba,DC=somewoman,DC=com
namingContexts: DC=DomainDnsZones,DC=samba,DC=somewoman,DC=com
namingContexts: DC=ForestDnsZones,DC=samba,DC=somewoman,DC=com

This displays the partitions for the configuration and schema data, and the default data (the main database containing users, etc), and also the root domain (which, in this case, is the same as the default). Later in the file, all NamingContexts are listed including the ones mentioned above.

An alternative means of displaying partition information is by using the magic @PARTITION records, we can do an ldbsearch seeking partitions on the current database:

root@shiny:/home/kelly/work/samba/prefix.s4# bin/ldbsearch -H private/sam.ldb -s base -b @PARTITION
# record 1
dn: @PARTITION
replicateEntries: @ATTRIBUTES
replicateEntries: @INDEXLIST
replicateEntries: @OPTIONS
partition: DC=SAMBA,DC=SOMEWOMAN,DC=COM:sam.ldb.d/DC=SAMBA,DC=SOMEWOMAN,DC=COM
.ldb
partition: CN=CONFIGURATION,DC=SAMBA,DC=SOMEWOMAN,DC=COM:sam.ldb.d/CN=CONFIGUR
ATION,DC=SAMBA,DC=SOMEWOMAN,DC=COM.ldb
partition: CN=SCHEMA,CN=CONFIGURATION,DC=SAMBA,DC=SOMEWOMAN,DC=COM:sam.ldb.d/C
N=SCHEMA,CN=CONFIGURATION,DC=SAMBA,DC=SOMEWOMAN,DC=COM.ldb
partition: DC=DOMAINDNSZONES,DC=SAMBA,DC=SOMEWOMAN,DC=COM:sam.ldb.d/DC=DOMAIND
NSZONES,DC=SAMBA,DC=SOMEWOMAN,DC=COM.ldb
partition: DC=FORESTDNSZONES,DC=SAMBA,DC=SOMEWOMAN,DC=COM:sam.ldb.d/DC=FORESTD
NSZONES,DC=SAMBA,DC=SOMEWOMAN,DC=COM.ldb
distinguishedName: @PARTITION

# returned 1 records
# 1 entries
# 0 referrals

We can see five partitions listed (which are the same as the NamingContext entries listed within the rootDSE):

SAMBA

This contains the “actual” data, eg users, etc.

CONFIGURATION

This contains the configuration information for Domain Controllers within the domain. This information is replicated to all Samba Domain Controllers.

SCHEMA

This partition contains all of the information that the database uses to enforce rules that the data therein must comply with – the schema. The schema was originally discussed in part 1 of these LDB posts.

DOMAINDNSZONES

The information in here would be the same as a zone file that would normally be used within bind (DNS services), encoded within the directory and replicated across all servers.

FORESTDNSZONES

Much like the DomainDNSZones, but across the forest.
Each of the partitions actually have their own database located within /private/sam.ldb.d/, as displayed below:

@:$ ls private/sam.ldb.d/
CN=CONFIGURATION,DC=SAMBA,DC=SOMEWOMAN,DC=COM.ldb
CN=SCHEMA,CN=CONFIGURATION,DC=SAMBA,DC=SOMEWOMAN,DC=COM.ldb
DC=DOMAINDNSZONES,DC=SAMBA,DC=SOMEWOMAN,DC=COM.ldb
DC=FORESTDNSZONES,DC=SAMBA,DC=SOMEWOMAN,DC=COM.ldb
DC=SAMBA,DC=SOMEWOMAN,DC=COM.ldb
metadata.tdb

metadata.tdb is used solely to contain the local uSN. This is stored outside of any of the partitions as the number is increased for ALL database updates across any partition. The sequence number used to be held within each partition, then added up to gain the universal sequence number, but this caused too much complexity, so it was moved into a simple tdb file on its own outside of the partitions.

@:$ tdbdump private/sam.ldb.d/metadata.tdb
{
key(7) = "SEQ_NUM"
data(4) = "3730"
}

The databases within this directory can be edited freely, without schema information controlling behaviors.

ACLs

In Part 3 we took a quick look at security within Active Directory, and the concept of tokens and how these use Access Control Lists, or ACLs, to determine who or what has access to perform certain functions on certain objects or directories.

At present, Samba doesn’t use ACLs to control reads because they have been found to be too resource intensive, so different controls are used where you need to be authenticated to the directory to be able to read anything. ACLs are used for writing.

There are multiple ways of being able to view ACL information for an object within samba. We can use the smb acl tool ******** MORE INFORMATION NEEDED HERE

We can also view the same information within the ntSecurityDescriptor field, which was displayed in Part 1 of this series. We can do this by performing an ldbsearch on the object we wish to see ACLs for

@:$ bin/ldbsearch -H private/sam.ldb "name=kelly" ntSecurityDescriptor
# record 1
dn: CN=kelly,DC=samba,DC=somewoman,DC=com
nTSecurityDescriptor: O:SYG:SYD:AI(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWP
CRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)(A;;RPLCLORC;
;;PS)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a54-1e2f-1
1d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a56-1e2f-11d0-9819-00aa0040529b;;PS)(O
A;;RPWP;77b5b886-944a-11d1-aebd-0000f80367c1;;PS)(OA;;RPWP;e45795b2-9455-11d1
-aebd-0000f80367c1;;PS)(OA;;RPWP;e45795b3-9455-11d1-aebd-0000f80367c1;;PS)(OA
;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;;RS)(OA;;RP;4c164200-20c0-11d0-a768
-00aa006e0529;;RS)(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;;RS)(A;;RC;;;A
U)(OA;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;;AU)(OA;;RP;77b5b886-944a-11d1
-aebd-0000f80367c1;;AU)(OA;;RP;e45795b3-9455-11d1-aebd-0000f80367c1;;AU)(OA;;
RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)(OA;;CR;ab721a53-1e2f-11d0-9819-0
0aa0040529b;;WD)(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;;RS)(OA;;RPWP;bf
967a7f-0de6-11d0-a285-00aa003049e2;;CA)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58
d456d2;;S-1-5-32-560)(OA;;RPWP;6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32
-561)(OA;;RPWP;5805bc62-bdc9-4428-a5e2-856a0f4c185e;;S-1-5-32-561)(OA;CIID;RP
;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU
)(OA;CIID;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00a
a003049e2;RU)(OA;CIID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-4
5bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf9
67aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIID;RP;bc0ac240-79a9-11d0-9020-00c0
4fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;bc0ac240-79a9-11
d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIID;RP;59ba
2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;
CIID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa0030
49e2;RU)(OA;CIID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9
b07-ad6f015e5f28;RU)(OA;CIID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba
-0de6-11d0-a285-00aa003049e2;RU)(OA;CIID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f
608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIID;RP;b7c69e6d-2cc7-11d2-85
4e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIID;RP;b7c69e6d-
2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIID;
RPLCLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RPLCLORC;;bf967a9c
-0de6-11d0-a285-00aa003049e2;RU)(OA;CIID;RPLCLORC;;bf967aba-0de6-11d0-a285-00
aa003049e2;RU)(OA;CIID;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;CII
D;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)(A;CIID;LC;;;RU)(A;CIID;RPWPCRCCLCLORCWOWDS
DSW;;;BA)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6
-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1
;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)

We can use the –show-binary control to present the ntSecurityDescriptor field in a readable format:
@:$ bin/ldbsearch -H private/sam.ldb "name=kelly" ntSecurityDescriptor --show-binary

Displayed is just a small fraction of what the ntSecurityDescriptor contains.

Within Windows, ACLs are edited within the Security tab of the Properties dialog for any object, and alternatively via an ACL editor.

Using dbcheck

dbcheck is used to test for consistency and errors within the samba database, and it is a part of samba-tool

***insert link to samba-tool info on wiki or some such!!!

As with any components of samba-tool, we call dbcheck by adding the parameter to the command:
@:$ bin/samba-tool dbcheck

Also, as with any component of samba-tool, we can see usage and general help information by adding –help to the end of this line:

@:$ bin/samba-tool dbcheck --help
Usage: samba-tool dbcheck [] [options]

check local AD database for errors

Options:
-h, --help show this help message and exit
--scope=SCOPE Pass search scope that builds DN list. Options: SUB,
ONE, BASE
--fix Fix any errors found
--yes don't confirm changes, just do them all as a single
transaction
--cross-ncs cross naming context boundaries
-v, --verbose Print more details of checking
--quiet don't print details of checking
--attrs=ATTRS list of attributes to check (space separated)
--reindex force database re-index
-H URL, --URL=URL LDB URL for database or target server (defaults to
local SAM database)

Samba Common Options:
-s FILE, --configfile=FILE
Configuration file
-d DEBUGLEVEL, --debuglevel=DEBUGLEVEL
debug level
--option=OPTION set smb.conf option from command line
--realm=REALM set the realm name

Credentials Options:
--simple-bind-dn=DN
DN to use for a simple bind
--password=PASSWORD
Password
-U USERNAME, --username=USERNAME
Username
-W WORKGROUP, --workgroup=WORKGROUP
Workgroup
-N, --no-pass Don't ask for a password
-k KERBEROS, --kerberos=KERBEROS
Use Kerberos
--ipaddress=IPADDRESS
IP address of server

Version Options:
--version Display version number

In order to demonstrate how dbcheck can be used to fix a database, we must first break it. In the earlier section on partitions, it was mentioned that a database partition can be edited directly from the /private/sam.ldb.d/ directory without worry for schema constraints. We also know from earlier posts that two-way links cannot have the back link edited or removed, and that making changes to a forward link will automatically effect the corresponding change within the back link. Using a user as an example, the memberof attribute (linking that user to a group) is the back link component of the group’s member attribute. So, to break the database, I will remove the back link directly within the partition database:

Before the edit:

@:$ bin/ldbsearch -H private/sam.ldb.d/DC\=SAMBA\,DC\=SOMEWOMAN\,DC\=COM.ldb 'name=newuser' name memberof
# record 1
dn: CN=newuser,DC=samba,DC=somewoman,DC=com
name: newuser
memberOf: ;;CN=Administrators,CN=Builtin,DC=samba,DC=somewoman,DC=com
memberOf: ;;CN=Users,CN=Builtin,DC=samba,DC=somewoman,DC=com
memberOf: ;;CN=Guests,CN=Builtin,DC=samba,DC=somewoman,DC=com

# returned 1 records
# 1 entries
# 0 referrals

Performing the edit:

@:$ bin/ldbmodify -H private/sam.ldb.d/DC\=SAMBA\,DC\=SOMEWOMAN\,DC\=COM.ldb modifynewuser.ldif
# 0 adds 1 modifies 0 deletes

where modifynewuser.ldif contains:

dn: CN=newuser,DC=samba,DC=somewoman,DC=com
changetype: modify
delete: memberof
memberOf: ;;CN=Gu
ests,CN=Builtin,DC=samba,DC=somewoman,DC=com

After the edit:

@:$ bin/ldbsearch -H private/sam.ldb.d/DC\=SAMBA\,DC\=SOMEWOMAN\,DC\=COM.ldb 'name=newuser' name memberof
# record 1
dn: CN=newuser,DC=samba,DC=somewoman,DC=com
name: newuser
memberOf: ;;CN=Administrators,CN=Builtin,DC=samba,DC=somewoman,DC=com
memberOf: ;;CN=Users,CN=Builtin,DC=samba,DC=somewoman,DC=com

# returned 1 records
# 1 entries
# 0 referrals

Using dbcheck:

@:$ bin/samba-tool dbcheck
Checking 210 objects
ERROR: missing backlink attribute 'memberOf' in CN=newuser,DC=samba,DC=somewoman,DC=com for link member in CN=Guests,CN=Builtin,DC=samba,DC=somewoman,DC=com
Not fixing missing backlink memberOf
Please use --fix to fix these errors
Checked 210 objects (1 errors)

We can see that it has picked up the existence of an error, and it displays where this error is and what the problem is. We can then use the –fix control to allow dbcheck to correct it

@:$ bin/samba-tool dbcheck --fix
Checking 210 objects
ERROR: missing backlink attribute 'memberOf' in CN=newuser,DC=samba,DC=somewoman,DC=com for link member in CN=Guests,CN=Builtin,DC=samba,DC=somewoman,DC=com
Fix missing backlink memberOf [y/N/all/none] y
Fixed missing backlink memberOf
Checked 210 objects (1 errors)

And taking a look at the original query again, we can see that the backlink has been returned, and all is right with the world:

@:$ bin/ldbsearch -H private/sam.ldb.d/DC\=SAMBA\,DC\=SOMEWOMAN\,DC\=COM.ldb 'name=newuser' name memberof
# record 1
dn: CN=newuser,DC=samba,DC=somewoman,DC=com
name: newuser
memberOf: ;;CN=Administrators,CN=Builtin,DC=samba,DC=somewoman,DC=com
memberOf: ;;CN=Users,CN=Builtin,DC=samba,DC=somewoman,DC=com
memberOf: ;;CN=Guests,CN=Builtin,DC=samba,DC=somewoman,DC=com

# returned 1 records
# 1 entries
# 0 referrals

Linked Attributes (continued – one-way links)

Microsoft have provided the Samba project with full schema documentation for Active Directory, and we can use this to view attribute information, including whether an attribute is linked or not. These schema files exist within/source4/setup/ad-schema

Using/source4/setup/ad-schema/MS-AD_Schema_2K8_R2_Attributes.txt as an example, we can find linked attributes quite easily by searching for attributes that contain the property attributeSyntax: 2.5.5.1 (this is a linked attribute). Two-way linked attributes also contain a property called linkID which has an even value for a forward link and an odd value for a back link. One-way links do not have the linkID, but DO contain attributeSyntax: 2.5.5.1

Some examples of one-way linked objects are:

  • Certificate-Authority-Object
  • Current-Parent-CA
  • Default-Class-Store
  • Default-Group
  • Default-Local-Policy-Object
  • Default-Object-Category
  • DN-Reference-Update
  • documentAuthor
  • Domain-Certificate-Authorities
  • FSMO-Role-Owner

There are a few more.

As mentioned within Part 3, Samba builds a list of linked attributes at startup, and it is very fast to discover whether any given link is one or two-way. When performing a function on a one-way link, we need to first check it to ensure that the link hasn’t been broken due to renaming or deletion of the linked object. Within the modules directory is the file /source4/dsdb/samdb/ldb_modules/extended_dn_out.c, which contains a function fix_one_way_link(). This checks one-way links to see if the link has become broken (ie, the linked object may have been renamed or deleted or such), and locates where the link is meant to be pointing to based on GUID information, then repairs the database.

LDB part 3 (don’t stop now!!!)

  • November 22, 2012 3:13 pm

LDB Posts

Note: this was written quite some time ago, and has been sitting in my drafts for some time. There was a query over the correctness of linked attributes, in particular the difference between one and two way links. I’m pretty certain that what is below is correct, although add this disclaimer anyways. Apologies for any other incompleteness. I’m just not able to deal with this anymore. There is still some useful information here and it deserves to be shared.

LDB Controls

Controls within LDB are much the same as controls within LDAP. They are a blob of information that modifies a request. A request may contain none, one or more controls to modify the default behaviour in different ways.

Arbitrary controls can be used by adding –controls=’control1, control2, control3′ to the end of an ldbquery, most commonly to ldbsearch. The most frequently used controls have shortcuts that can be added directly on to the end of the query, and some of these are listed below:

Common Controls

–extended-dn

returns additional information with the dn where available. This includes guid, sid, etc.

So, whereas a typical search on users, returning only dn and name, might look like this:

@:# bin/ldbsearch -H private/sam.ldb 'objectclass=user' name
# record 1
dn: CN=SHINY,OU=Domain Controllers,DC=samba,DC=somewoman,DC=com
name: SHINY

# record 2
dn: CN=Administrator,CN=Users,DC=samba,DC=somewoman,DC=com
name: Administrator

the –extended-dn version would look like this:

@s:# bin/ldbsearch -H private/sam.ldb 'objectclass=user' name --extended-dn
# record 1
dn: ;;CN=SHINY,OU=Domain Controllers,DC=samba,DC=somewoman,DC=com
name: SHINY

# record 2
dn: ;;CN=Administrator,CN=Users,DC=samba,DC=somewoman,DC=com
name: Administrator

–cross-ncs

Allows a search to cross over a naming context boundary or partition within the database. For example, a basic search may return a set of results for the current level of an hierarchical data structure and its children, but adding the –cross-ncs control will allow us to return results for all structures across the current level of the hierarchy. This is also known as the “phantom root” option as it effectively sets the root of the search to be at a higher level within the data hierarchy.

removing the actual records returned in the interest of expediency and space saving, an example of running a query without –cross-ncs:

@:# bin/ldbsearch -H private/sam.ldb

# returned 211 records
# 208 entries
# 3 referrals

And with –cross-ncs:

@:# bin/ldbsearch -H private/sam.ldb --cross-ncs

# returned 3425 records
# 3425 entries
# 0 referrals

–show-binary

Displays binary data in a readable format. This was demonstrated within an earlier post: LDB Part 2 – Tools and things

–paged

This is often used where too many results are returned. By default, LDB returns a maximum of something like 1000 results at a time. The –paged control separates the result sets into a new search for each “page” of results returned, where a page contains the maximum number of returnable results. When each search is complete, the next search is performed until all required records have been returned.

–show-deleted

LDB has a two stage deletion process which allows for recovering of records within a given period, or viewing information about (but not being able to recover) a record for a given period past the recovery period. This will be explained in further detail at a later stage. The –show-deleted control is required for undeleting and renaming of records.

Using an ldif file named kelly.ldif containing:

dn: CN=kelly,DC=samba,DC=somewoman,DC=com
objectclass: user
samaccountname: kelly

the user kelly was added with the following command: bin/ldbadd -H private/sam.ldb kelly.ldif

Resulting in:

@:# bin/ldbsearch -H private/sam.ldb 'objectclass=user' name
# record 1
dn: CN=SHINY,OU=Domain Controllers,DC=samba,DC=somewoman,DC=com
name: SHINY

# record 2
dn: CN=Administrator,CN=Users,DC=samba,DC=somewoman,DC=com
name: Administrator

# record 3
dn: CN=dns-shiny,CN=Users,DC=samba,DC=somewoman,DC=com
name: dns-shiny

# record 4
dn: CN=krbtgt,CN=Users,DC=samba,DC=somewoman,DC=com
name: krbtgt

# record 5
dn: CN=Guest,CN=Users,DC=samba,DC=somewoman,DC=com
name: Guest

# record 6
dn: CN=kelly,DC=samba,DC=somewoman,DC=com
name: kelly

# Referral
ref: ldap://samba.somewoman.com/CN=Configuration,DC=samba,DC=somewoman,DC=com

# Referral
ref: ldap://samba.somewoman.com/DC=DomainDnsZones,DC=samba,DC=somewoman,DC=com

# Referral
ref: ldap://samba.somewoman.com/DC=ForestDnsZones,DC=samba,DC=somewoman,DC=com

# returned 9 records
# 6 entries
# 3 referrals

Then this record was deleted using: bin/ldbdel -H private/sam/ldb 'CN=kelly,DC=samba,DC=somewoman,DC=com'

Resulting in:

@:# bin/ldbsearch -H private/sam.ldb 'objectclass=user' name --show-deleted
# record 1
dn: CN=kelly\0ADEL:655e6455-e5ef-495b-8b85-ea9b63b7ffea,CN=Deleted Objects,DC=samba,DC=somewoman,DC=com
name:: a2VsbHkKREVMOjY1NWU2NDU1LWU1ZWYtNDk1Yi04Yjg1LWVhOWI2M2I3ZmZlYQ==

# record 2
dn: CN=SHINY,OU=Domain Controllers,DC=samba,DC=somewoman,DC=com
name: SHINY

# record 3
dn: CN=Administrator,CN=Users,DC=samba,DC=somewoman,DC=com
name: Administrator

# record 4
dn: CN=dns-shiny,CN=Users,DC=samba,DC=somewoman,DC=com
name: dns-shiny

# record 5
dn: CN=krbtgt,CN=Users,DC=samba,DC=somewoman,DC=com
name: krbtgt

# record 6
dn: CN=Guest,CN=Users,DC=samba,DC=somewoman,DC=com
name: Guest

# Referral
ref: ldap://samba.somewoman.com/CN=Configuration,DC=samba,DC=somewoman,DC=com

# Referral
ref: ldap://samba.somewoman.com/DC=DomainDnsZones,DC=samba,DC=somewoman,DC=com

# Referral
ref: ldap://samba.somewoman.com/DC=ForestDnsZones,DC=samba,DC=somewoman,DC=com

# returned 9 records
# 6 entries
# 3 referrals

–reveal

The –reveal control is a Samba only control, used for internal bookkeeping by Samba. This extends information displayed differently, depending on the query. For example, it will display deleted linked objects (more on linked objects later). In the following demonstration, I have removed the user ‘kelly’ from the group ‘guests’

without –reveal:

@:$ bin/ldbsearch -H private/sam.ldb 'name=guests' member
# record 1
dn: CN=Guests,CN=Builtin,DC=samba,DC=somewoman,DC=com
member: CN=Domain Guests,CN=Users,DC=samba,DC=somewoman,DC=com
member: CN=Guest,CN=Users,DC=samba,DC=somewoman,DC=com

with –reveal:

@:$ bin/ldbsearch -H private/sam.ldb 'name=guests' member --reveal
# record 1
dn: CN=Guests,CN=Builtin,DC=samba,DC=somewoman,DC=com
member: CN=Domain Guests,CN=Users,DC=samba,DC=somewoman,DC=com
member: CN=Guest,CN=Users,DC=samba,DC=somewoman,DC=com
member: CN=kelly,DC=samba,DC=somewoman,DC=com

–relax

This is the “don’t worry, be happy” of controls. It tells the database to ignore warnings, and perform this action anyway. This is useful for database cleanups and reconfigurations. For most actions, this can only be used by the system user.

LDB Credentials

LDAP has fairly complex authentication protocols, with several available. Most commonly used are SASL and Kerberos.

SASL – Simple Authentication and Security Layer

SASL is a challenge/response type authentication where the client needs to know a password. Using wireshark to view a connection in progress, we can see the two ends negotiating as to whether they will allow a connection. This passes through several layers within SASL:

SASL Authentication

SASL -> SPNEGO (Simple Protected Negotiation) -> NTLM (NT LAN Manager authentication) -> NTLMSSP (an extension on NTLM – Secure Service Provider)

Layers upon layers upon layers of authentication. This occurs with each and every SASL based communication.

Kerberos

Kerberos uses SASL to create an initial connection, and then uses this secure connection to generate a “ticket” based on authentication level, and send the client this ticket which can then be used for a much faster authentication. Each communication contains the ticket, and the server responds according to the previous authentication level associated with that ticket. This saves on several calls to determine authentication that would otherwise be required with each request.

kerberos authentication

Kerberos requires a hostname, and cannot authenticate to localhost.

Kerberos is extremely important to Active Directory, and will be discussed in much further detail in a later post.

Active Directory Credentials

The core of Active Directory credentials is called a “token”. This token is similar to the unix idea of user ids (viewable if you type “id” at your command prompt), although it is a much larger id. Whereas a unix user id is unique to the current machine (16 or 32 bit), the AD token is a much larger identifier comprising two parts (a randomly generated SID for the domain, and a further randomly generated SID for the user within the domain). The two SIDs together are expected to be globally unique, and this is one of the reasons why Active Directory is so popular within really large organisations; unix identifiers really don’t scale.

Tokens also link in to Access Control Lists (ACLs). AD uses lists of tokens throughout to determine if you are allowed to perform certain actions. EVERY record within AD uses ACLs to determine who can do what, and it uses tokens to determine access against the ACLs on that object.

An example of what ACLs look like is displayed below

ACLs

ACLs will be further discussed within a later post.

Module Chaining

Modules are used to perform single or small tasks, with many modules being used to perform complex tasks. Each module receives a request and decides what to do with it (modify the request, reply to a request, etc), and then passes the request to the next module. This happens through a hierarchy to the last module listed, which then parses it to a TDB request which is then forwarded to perform the required task. LDB without modules is a very basic, dumb database with no schema, no authentication, no anything. The use of modules is what makes LDB useful.

Modules are stored within /source4/dsdb/samdb/ldb_modules/ and each of the *.c files within that directory is an LDB module.

Ordering of modules is often imperative, and as such there is a hierarchy of modules to determine order of evaluation. There is a separate module that is used to determine module order of evaluation, and order is different according to which backend is in use. The file /source4/dsdb/samdb/ldb_modules/samba_dsdb.c contains a list of modules, and it registers these modules in a particular order, altering it according to the backend in use. Most commonly used is TDB

The reason that ordering is important is because modules are used to modify a request. For example, there are constraints that say you may only create a user object within certain containers or objectClass. In order to check that constraint you must first check what the object type is and what the parent class is, then we can test if the parent class is able to contain a child of the type being created. eg, if we attempt to add a user to the root object, we would expect an error along the lines of “Naming violation. Structural object class user is not a valid child class.”. Likewise, if an object is created without an objectsid, then a module needs to be called to check for existence of the objectsid, passing to a module that will create and attach the objectsid if required, and all of this needs to be completed before being passed to the module that checks that the attached objectsid is valid.

An Example

Going forward, we will use /source4/dsdb/samdb/ldb_modules/objectguid.c as an example.

Each module contains a section that tells the LDB infrastructure what its name is, and what operations it is interested in intercepting such as on add, rename, modify, reinitialisation, delete, etc. Within objectguid this is using the ldb_objectguid_module_init function, and this registers the module as being named “objectguid” and being interested in add and modify operations.

static const struct ldb_module_ops ldb_objectguid_module_ops = {
.name = "objectguid",
.add = objectguid_add,
.modify = objectguid_modify
};

int ldb_objectguid_module_init(const char *version)
{
LDB_MODULE_CHECK_VERSION(version);
return ldb_register_module(&ldb_objectguid_module_ops);
}

Add

If an add is called, the module calls objectguid_add(), which does a series of operations:

Firstly, it checks to see if the dn of the object flags it as a “special” or “magic” record (more on this later). The ldb_dn_is_special() function checks for the existence of an @ at the beginning of the dn, and returns true or false. If true, objectguid.c calls the ldb_next_request() function to call the next module in the hierarchy, performing no further action.

/* do not manipulate our control entries */
if (ldb_dn_is_special(req->op.add.message->dn)) {
return ldb_next_request(module, req);
}

Then checks to see if an objectguid already exists. An object cannot be created with a predefined objectguid, and the add will be refused if one exists.

el = ldb_msg_find_element(req->op.add.message, "objectGUID");
if (el != NULL) {
ldb_set_errstring(ldb, "objectguid: objectGUID must not be specified!");
return LDB_ERR_UNWILLING_TO_PERFORM;
}

It then performs a couple of other checks before finally creating a new objectguid (which uses devurandom or whatever source of randomness is available on the machine), and adding it to the object

/* a new GUID */
guid = GUID_random();

ret = dsdb_msg_add_guid(msg, &guid, "objectGUID");
if (ret != LDB_SUCCESS) {
return ret;
}

It inserts the whenCreated and whenChanged attributes

if (add_time_element(msg, "whenCreated", t) != LDB_SUCCESS ||add_time_element(msg, "whenChanged", t) != LDB_SUCCESS) {
return ldb_operr(ldb);
}

And the universal sequence number created and changed attributes (the uSN tracks how many changes have EVER been made to the database, we can reconstruct order of events based on these numbers)

/* Get a sequence number from the backend */
ret = ldb_sequence_number(ldb, LDB_SEQ_NEXT, &seq_num);
if (ret == LDB_SUCCESS) {
if (add_uint64_element(ldb, msg, "uSNCreated", seq_num) != LDB_SUCCESS || add_uint64_element(ldb, msg, "uSNChanged", seq_num) != LDB_SUCCESS) {
return ldb_operr(ldb);
}
}

modifies or generates the add request using the new information

ret = ldb_build_add_req(&down_req, ldb, ac, msg, req->controls, req, dsdb_next_callback, req);
LDB_REQ_SET_LOCATION(down_req);
if (ret != LDB_SUCCESS) {
return ret;
}

and then passes it along to the next module

/* go on with the call chain */
return ldb_next_request(module, down_req);

Modify

If a modify is called, it similarly checks to see if it contains a special dn to determine if any further work is required before passing it along to the next module. If it is not a special dn, some other checks are performed, and the whenChanged and uSNChanged attributes are modified before generating the new version of the request and passing it along to the next module.

Special/Magic @ records

Samba uses special/magic records for book keeping. The reason that they start with an @ is because it is otherwise illegal within the LDAP namespace for a dn, and therefore were completely unused, so we could name objects starting with @ and know that they were not going to interfere with any other objects. Records beginning with @ are used in many, many places throughout Samba, and are treated differently, such as in our objectguid example above where we check for special records and do nothing to it, just move on, if it is a special record.

@INDEXLIST

Lists which attributes are indexed on by @IDXATTR

root@shiny:/home/kelly/work/samba/prefix.s4# bin/ldbsearch -H private/sam.ldb -s base -b @INDEXLIST
# record 1
dn: @INDEXLIST
@IDXATTR: objectClass
@IDXATTR: nETBIOSName
@IDXATTR: msFVE-RecoveryGuid
@IDXATTR: msTSProperty01
@IDXATTR: primaryGroupID
@IDXATTR: fromServer
@IDXATTR: serviceClassName
@IDXATTR: msSFU30Domains
@IDXATTR: lastLogonTimestamp
@IDXATTR: requiredCategories
@IDXATTR: mail
@IDXATTR: dNSTombstoned
@IDXATTR: USNIntersite
@IDXATTR: userPrincipalName
@IDXATTR: msTSLSProperty01
<-- snip -->
@IDXATTR: msTSExpireDate4
@IDXATTR: msSFU30NetgroupUserAtDomain
@IDXATTR: trustPartner
@IDXONE: 1
@IDXVERSION: 2
distinguishedName: @INDEXLIST

# returned 1 records
# 1 entries
# 0 referrals

@ATTRIBUTES

Displays a list of all attributes and their datatype

root@shiny:/home/kelly/work/samba/prefix.s4# bin/ldbsearch -H private/sam.ldb -s base -b @ATTRIBUTES
# record 1
dn: @ATTRIBUTES
accountExpires: INTEGER
accountNameHistory: CASE_INSENSITIVE
aCSAggregateTokenRatePerUser: INTEGER
aCSAllocableRSVPBandwidth: INTEGER
aCSIdentityName: CASE_INSENSITIVE
aCSMaxAggregatePeakRatePerUser: INTEGER
aCSMaximumSDUSize: INTEGER
aCSMaxPeakBandwidth: INTEGER
aCSMaxPeakBandwidthPerFlow: INTEGER
<-- snip -->
uSNChanged: INTEGER
uSNCreated: INTEGER
uSNDSALastObjRemoved: INTEGER
uSNLastObjRem: INTEGER
uSNSource: INTEGER
vendor: CASE_INSENSITIVE
wbemPath: CASE_INSENSITIVE
wWWHomePage: CASE_INSENSITIVE
x121Address: CASE_INSENSITIVE
distinguishedName: @ATTRIBUTES

# returned 1 records
# 1 entries
# 0 referrals

@SUBCLASSES

@MODULES

Contains @LIST attributes that list all modules affecting current database. In the demonstration below, it calls the main module that determines the order of execution of all further modules.

root@shiny:/home/kelly/work/samba/prefix.s4# bin/ldbsearch -H private/sam.ldb -s base -b @MODULES
# record 1
dn: @MODULES
@LIST: samba_dsdb
distinguishedName: @MODULES

# returned 1 records
# 1 entries
# 0 referrals

@BASEINFO

Fundamental to all of ldb – when the db last changed ,etc

root@shiny:/home/kelly/work/samba/prefix.s4# bin/ldbsearch -H private/sam.ldb -s base -b @BASEINFO
# record 1
dn: @BASEINFO
sequenceNumber: 16
whenChanged: 20120104031707.0Z
distinguishedName: @BASEINFO

# returned 1 records
# 1 entries
# 0 referrals

@PARTITION

List partitions on current database. This also states that attributes, indexes and options are to be replicated across each partition.

root@shiny:/home/kelly/work/samba/prefix.s4# bin/ldbsearch -H private/sam.ldb -s base -b @PARTITION
# record 1
dn: @PARTITION
replicateEntries: @ATTRIBUTES
replicateEntries: @INDEXLIST
replicateEntries: @OPTIONS
partition: DC=SAMBA,DC=SOMEWOMAN,DC=COM:sam.ldb.d/DC=SAMBA,DC=SOMEWOMAN,DC=COM
.ldb
partition: CN=CONFIGURATION,DC=SAMBA,DC=SOMEWOMAN,DC=COM:sam.ldb.d/CN=CONFIGUR
ATION,DC=SAMBA,DC=SOMEWOMAN,DC=COM.ldb
partition: CN=SCHEMA,CN=CONFIGURATION,DC=SAMBA,DC=SOMEWOMAN,DC=COM:sam.ldb.d/C
N=SCHEMA,CN=CONFIGURATION,DC=SAMBA,DC=SOMEWOMAN,DC=COM.ldb
partition: DC=DOMAINDNSZONES,DC=SAMBA,DC=SOMEWOMAN,DC=COM:sam.ldb.d/DC=DOMAIND
NSZONES,DC=SAMBA,DC=SOMEWOMAN,DC=COM.ldb
partition: DC=FORESTDNSZONES,DC=SAMBA,DC=SOMEWOMAN,DC=COM:sam.ldb.d/DC=FORESTD
NSZONES,DC=SAMBA,DC=SOMEWOMAN,DC=COM.ldb
distinguishedName: @PARTITION

# returned 1 records
# 1 entries
# 0 referrals

@OPTIONS

root@shiny:/home/kelly/work/samba/prefix.s4# bin/ldbsearch -H private/sam.ldb -s base -b @OPTIONS
# record 1
dn: @OPTIONS
checkBaseOnSearch: TRUE
distinguishedName: @OPTIONS

# returned 1 records
# 1 entries
# 0 referrals

LDAP Protocol Server

The LDAP Protocol Server is a very thin layer that sits between the LDAP protocol and the LDB layer, and listens on port 389 (the LDAP port) to IPv6 and IPv4 requests on all interfaces on the machine. When a request is received, it is parsed using the LDAP libraries and converted to an LDB request which can then be processed.

The server code is in /source4/ldap_server/ldap_server.c

the function ldapsrv_call_read_done() reads a blob of data, retrieves the asn1 data (LDAP protocol specification) and parses it via ldap_decode(). Multiple failure checks are performed that will terminate the connection upon fail. If all is ok with the data blob, asn1, decoding, etc, it will add the resultant LDAP call into the global queue using ldapsrv_process_call_send()

At present, Samba performs a manual parse of LDAP requests. There are compilers available that are capable of compiling ASN1 files, and given the time over again Samba would likely have used a compiler rather than the current hand-written and very complicated parser.

It also serves the function of encoding requests and adding further data to them to create a format understandable by Active Directory, which can then be sent.

Linked Attributes

A lot of time has been spent within Samba on linked attributes, and they are surprisingly complex.

Many links are bi-directional, for example the adminstrator user is a member of the administrators group. The administrator user has a memberOf attribute pointing to the administrators group (the forward link), and the administrators group has a member attribute pointing to the administrator user (the back link). In this particular case, each can have multiple links, so the administrator may be a member of many groups, and the administrators group may have many members.

When an object gets renamed or deleted, we need to be able to update all of the links. So if we remove a user who is a member of multiple groups, we need to remove all of the back links pointing to that user. If we rename a user, we need to ensure that all of the back links refer to the correct name. A user is physically only able to modify forward links, and LDB controls modification of all of the back links according to any modifications made affecting the forward link. The direction of the link is specified by the linkID, where anything even is a forward link and anything odd is a back link.

In the following example, I have added the user ‘kelly’ to the ‘guests’ group using samba-tool (more information on samba-tool in a later post): @:$ bin/samba-tool group addmembers guests kelly

Viewing all members of the ‘guests’ group:

@:$ bin/ldbsearch -H private/sam.ldb 'name=guests' member
# record 1
dn: CN=Guests,CN=Builtin,DC=samba,DC=somewoman,DC=com
member: CN=Domain Guests,CN=Users,DC=samba,DC=somewoman,DC=com
member: CN=Guest,CN=Users,DC=samba,DC=somewoman,DC=com
member: CN=kelly,DC=samba,DC=somewoman,DC=com

Viewing which groups ‘kelly’ is a member of (automatically updated when adding member to group):

@:$ bin/ldbsearch -H private/sam.ldb 'name=kelly' memberof
# record 1
dn: CN=kelly,DC=samba,DC=somewoman,DC=com
memberOf: CN=Administrators,CN=Builtin,DC=samba,DC=somewoman,DC=com
memberOf: CN=Users,CN=Builtin,DC=samba,DC=somewoman,DC=com
memberOf: CN=Guests,CN=Builtin,DC=samba,DC=somewoman,DC=com

Attempt to remove the group ‘guests’ from the user ‘kelly’ (modification of back link not allowed):

@:$ bin/ldbmodify -H private/sam.ldb modifykelly.ldif
ERR: (Unwilling to perform) "objectclass_attrs: attribute 'memberof' on entry 'CN=kelly,DC=samba,DC=somewoman,DC=com' must not be modified directly, it is a linked attribute" on DN CN=kelly,DC=samba,DC=somewoman,DC=com
Modified 0 records with 1 failures

where modifykelly.ldif contains:

dn: CN=kelly,DC=samba,DC=somewoman,DC=com
changetype: modify
delete: memberof
memberOf: CN=Guests,CN=Builtin,DC=samba,DC=somewoman,DC=com

Attempt to remove the user ‘kelly’ from the group ‘guests’ (modification of forward link allowed):

@:$ bin/ldbmodify -H private/sam.ldb modifyguests.ldif
# 0 adds 1 modifies 0 deletes

Where modifyguests.ldif contains:

dn: CN=Guests,CN=Builtin,DC=samba,DC=somewoman,DC=com
changetype: modify
delete: member
member: CN=kelly,DC=samba,DC=somewoman,DC=com

Viewing all members of the ‘guests’ group:

@:$ bin/ldbsearch -H private/sam.ldb 'name=guests' member
# record 1
dn: CN=Guests,CN=Builtin,DC=samba,DC=somewoman,DC=com
member: CN=Domain Guests,CN=Users,DC=samba,DC=somewoman,DC=com
member: CN=Guest,CN=Users,DC=samba,DC=somewoman,DC=com

Viewing which groups ‘kelly’ is a member of (note automatically updated by removal of ‘member’ from ‘guests’:

@:$ bin/ldbsearch -H private/sam.ldb 'name=kelly' memberof
# record 1
dn: CN=kelly,DC=samba,DC=somewoman,DC=com
memberOf: CN=Administrators,CN=Builtin,DC=samba,DC=somewoman,DC=com
memberOf: CN=Users,CN=Builtin,DC=samba,DC=somewoman,DC=com

To further demonstrate how links are automatically updated, the following demonstration has re-added ‘kelly’ to the ‘guests’ group, and then ‘kelly’ was renamed to ‘newuser’ as follows:

@:$ bin/ldbrename -H private/sam.ldb 'CN=kelly,DC=samba,DC=somewoman,DC=com' 'CN=newuser,DC=samba,DC=somewoman,DC=com'
Renamed 1 record

viewing the members of the ‘guests’ group (note ‘newuser’ is there now instead of ‘kelly’, although no manual editing of the link has been done):

@:$ bin/ldbsearch -H private/sam.ldb 'name=guests' member
# record 1
dn: CN=Guests,CN=Builtin,DC=samba,DC=somewoman,DC=com
member: CN=Domain Guests,CN=Users,DC=samba,DC=somewoman,DC=com
member: CN=Guest,CN=Users,DC=samba,DC=somewoman,DC=com
member: CN=newuser,DC=samba,DC=somewoman,DC=com

To add further to the complication, there are some attributes within Active Directory that contain only a forward link, no back link. This can get tricky because if someone renames or deletes a forward link object we have no way of finding related objects. We handle this by knowing that forward link only objects may not be up to date, and we may need to search with GUI information to re-find its full name as it may have changed. At startup, we build a list of all links in the schema. We can determine if a link is forward only VERY fast, and these are very rare so it doesn’t create a massive performance hit.

Lenovo W500 Laptop – display issues

  • December 14, 2011 11:13 am

I’ve previously mentioned briefly about the overheating of my lenovo laptop, and how it frequently just shuts down and will not allow a restart for an hour or so while it cools down. I’ve also mentioned that the last time it shut down, I have had NO video since. The machine sounds like it boots (or goes someway towards doing so), but no display. Nothing.

I’ve FINALLY found the time to book it in for repairs. While on the phone, the lovely gentleman on the other end of the line told me to remove the power cable and battery, then hold down the power button for 20 seconds. Apparently this resets some bits and pieces on the board. After which, upon plugging the power back in I was able to semi-reboot my machine (it froze at the ubuntu splash screen, but I’ll work on that another time).

It is still going in to see if they can stop it from overheating – probably just needs to be opened and vacuumed, but warranty stipulates I cannot do this myself.

So… I didn’t know about the 20 second deal. I thought maybe this could come in handy for someone else with a lenovo that won’t boot. I don’t know which models this works for.

Insomnia

  • November 18, 2011 1:41 am

stab stab kill kill

I HATE YOU!!!

Oh, doom and disaster!! Almost

  • November 15, 2011 9:50 pm

I think the video card in my work laptop finally overheated as much as one cares to overheat. I now have NO graphics. Ever. Although it sounds like everything else is reasonably happy.

Looks like I purchased the new desktop **just** in time!!

Lenovo warranty repairs, here we come :)

LDB part 2 (it just keeps goin’) – Tools and things

  • November 14, 2011 3:42 pm

LDB Posts

 

LDB Tools

Each of the LDB tools is named appropriately to be quite self-explanatory in its functionality.

Common input (utilised by some or all of the tools):

-H ldburl (the local database or the url to it)
eg -H st/dc/private/secrets.ldb
-H ldap://localhost
-H ldaps://hostname (ldap with ssl, runs on a different port number)
-H ldapi://path/ (unix domain sockets, i means internal (?), unix domain socket is a file that gives a communication path to a process on a unix box. Only within a machine, not over a network)

-s [one|sub|base] search scope, can be one level, subtree or base

-b basedn the distinguished name at which a search begins

LDAP-style search expression
A search expression can be as simple as (for example) seeking an object with a given distinguished name, or can become quite complex. Standard logic operators (and &, or |, not !) are able to be used within search expressions, with an arbitrary length of searches able to be done using each or any of these operators. Additional search parameters can be added by inserting further search strings within braces.

Using the & operator
(&(search expression 1)(search expression 2)(search expression 3)…(search expression n))

Using the | operator
(|(search expression 1)(search expression 2)(search expression 3)…(search expression n))

Using the ! operator
(!search expression)
The ! operator take a single input

Using a mixture
(&(search expression 1)(search expression 2)(!search expression 3))
(|(search expression 1)(&(search expression 2)(search expression 3)))

Wildcard searches can also be performed using an * character, eg “samAccountName=kel*”. A simple presence test can be performed by checking that an attribute has a value – any value – using a wildcard search: attribute=*

attributes
which attributes from the dataset to display, will display all if none selected. These are written to the end of the ldbsearch line with spaces between each attribute name (eg dn name realm objectGUID).

 

ldbsearch

This searches an LDB database for records that match the given parameters. LDB has a built in query optimiser that will attempt to use any indexed part of the search expression to reduce the reach of the search.

Common input parameters
-h help (displays a list of available options)
-H ldburl (database to connect to)
-s search scope (one-level, subtree or base) can contain the value one|sub|base
-b basedn
-i read search expressions from stdin
LDAP-style search expression
(eg, ‘(&(objectclass=kerberossecret)(samaccountname=dns-localdc))’)
Attributes
which attributes from the dataset to display, will display not quite all if none selected (some are hidden, more on this later). These are written to the end of the ldbsearch line with spaces between each attribute name (eg name realm objectGUID)

as an example, an entire search command may look like this:
bin/ldbsearch -H st/dc/private/secrets.ldb '(&(objectclass=kerberossecret)(samaccountname=dns-localdc))' name realm objectGUID

which would, in turn, produce the following information:

# record 1

dn: samAccountName=dns-localdc,CN=Principals
realm: SAMBA.EXAMPLE.COM
objectGUID: 2f1d38f3-49b2-4baa-b77c-14c5daebadc0
name: dns-localdc

# returned 1 records
# 1 entries
# 0 referrals

LDB pretty prints – eg, objectGUID is saved in binary form, but displayed in useful format

The following example returns the same database as our earlier tdbdump example. The data is in a much more readable format, and returned as a tree-like structure using LDAP style objects, attributes and values.

username@computername:~/Samba/samba-master$ bin/ldbsearch -H st/dc/private/secrets.ldb

# record 1
dn: flatname=SAMBADOMAIN,cn=Primary Domains
msDS-KeyVersionNumber: 1
objectClass: top
objectClass: primaryDomain
objectClass: kerberosSecret
objectSid: S-1-5-21-4122882817-868477147-3978206388
privateKeytab: secrets.keytab
realm: SAMBA.EXAMPLE.COM
saltPrincipal: host/localdc.samba.example.com@SAMBA.EXAMPLE.COM
samAccountName: LOCALDC$
secret: machinelocDCpass1
secureChannelType: 6
servicePrincipalName: HOST/localdc
servicePrincipalName: HOST/localdc.samba.example.com
objectGUID: d55fd948-e32b-47c0-b7cf-f6fbb16deb1e
whenCreated: 20111005000140.0Z
whenChanged: 20111005000140.0Z
uSNCreated: 7
uSNChanged: 7
name: SAMBADOMAIN
flatname: SAMBADOMAIN
distinguishedName: flatname=SAMBADOMAIN,cn=Primary Domains

# record 2
dn: CN=LSA Secrets
cn: LSA Secrets
objectClass: top
objectClass: container
objectGUID: 09bef02e-5144-4753-b133-59c2d3a445f1
whenCreated: 20111005000046.0Z
whenChanged: 20111005000046.0Z
uSNCreated: 5
uSNChanged: 5
name: LSA Secrets
distinguishedName: CN=LSA Secrets

The following examples return records of a specific objectClass – in this case person.

This example displays all information returned by default (albeit with some records removed for the sake of space)

username@computername:~/Samba/samba-master$ bin/ldbsearch -H st/dc/private/sam.ldb '(objectclass=person)'
# record 1
dn: CN=LOCALDC,OU=Domain Controllers,DC=samba,DC=example,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: LOCALDC
instanceType: 4
whenCreated: 20111005000123.0Z
uSNCreated: 3600
name: LOCALDC
objectGUID: 01cb8349-ff11-49ea-ab9d-6011afb44c95
userAccountControl: 532480
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
localPolicyFlags: 0
pwdLastSet: 129622464830000000
primaryGroupID: 516
objectSid: S-1-5-21-4122882817-868477147-3978206388-1000
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: LOCALDC$
sAMAccountType: 805306369
operatingSystem: Samba
operatingSystemVersion: 4.0.0alpha18-DEVELOPERBUILD
dNSHostName: localdc.samba.example.com
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=samba,DC=example,DC=
com
isCriticalSystemObject: TRUE
rIDSetReferences: CN=RID Set,CN=LOCALDC,OU=Domain Controllers,DC=samba,DC=exam
ple,DC=com
serverReferenceBL: CN=LOCALDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C
N=Configuration,DC=samba,DC=example,DC=com
msDS-SupportedEncryptionTypes: 31
servicePrincipalName: HOST/localdc.samba.example.com
servicePrincipalName: HOST/localdc.samba.example.com/SAMBADOMAIN
servicePrincipalName: ldap/localdc.samba.example.com/SAMBADOMAIN
servicePrincipalName: GC/localdc.samba.example.com/samba.example.com
servicePrincipalName: ldap/localdc.samba.example.com
servicePrincipalName: HOST/localdc.samba.example.com/samba.example.com
servicePrincipalName: ldap/localdc.samba.example.com/samba.example.com
servicePrincipalName: HOST/LOCALDC
servicePrincipalName: E3514235-4B06-11D1-AB04-00C04FC2DCD2/9735e6ca-672f-44be-
95ab-21014e97a26a/samba.example.com
servicePrincipalName: ldap/9735e6ca-672f-44be-95ab-21014e97a26a._msdcs.samba.e
xample.com
servicePrincipalName: ldap/LOCALDC
servicePrincipalName: RestrictedKrbHost/LOCALDC
servicePrincipalName: RestrictedKrbHost/localdc.samba.example.com
servicePrincipalName: ldap/localdc.samba.example.com/DomainDnsZones.samba.exam
ple.com
servicePrincipalName: ldap/localdc.samba.example.com/ForestDnsZones.samba.exam
ple.com
whenChanged: 20111005000213.0Z
uSNChanged: 3734
distinguishedName: CN=LOCALDC,OU=Domain Controllers,DC=samba,DC=example,DC=com

# record 2
dn: CN=LOCALRPCPROXY,CN=Computers,DC=samba,DC=example,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: LOCALRPCPROXY
instanceType: 4
whenCreated: 20111005002050.0Z
uSNCreated: 6719
name: LOCALRPCPROXY
objectGUID: ea7e2e4f-830e-4cf1-9f84-a3a1c604d8aa
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
objectSid: S-1-5-21-4122882817-868477147-3978206388-1221
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: LOCALRPCPROXY$
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=samba,DC=example,DC=
com
sAMAccountType: 805306369
isCriticalSystemObject: FALSE
primaryGroupID: 515
pwdLastSet: 129622476500000000
displayName: LOCALRPCPROXY$
servicePrincipalName: HOST/localrpcproxy.samba.example.com
servicePrincipalName: HOST/LOCALRPCPROXY
dNSHostName: localrpcproxy.samba.example.com
msDS-SupportedEncryptionTypes: 31
userAccountControl: 16781312
msDS-AllowedToDelegateTo: cifs/localdc
whenChanged: 20111005002054.0Z
uSNChanged: 6732
distinguishedName: CN=LOCALRPCPROXY,CN=Computers,DC=samba,DC=example,DC=com

# record 3
dn: CN=RODC,OU=Domain Controllers,DC=samba,DC=example,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: RODC
instanceType: 4
whenCreated: 20111005002342.0Z
displayName: RODC$
uSNCreated: 6747
name: RODC
objectGUID: 2f32fc2c-04e6-4693-b8bc-d2721d8b6ec1
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 521
objectSid: S-1-5-21-4122882817-868477147-3978206388-1223
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: RODC$
sAMAccountType: 805306369
dNSHostName: RODC.samba.example.com
managedBy: CN=Administrator,CN=Users,DC=samba,DC=example,DC=com
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=samba,DC=example,DC=
com
isCriticalSystemObject: TRUE
msDS-NeverRevealGroup: CN=Denied RODC Password Replication Group,CN=Users,DC=s
amba,DC=example,DC=com
msDS-NeverRevealGroup: CN=Administrators,CN=Builtin,DC=samba,DC=example,DC=com
msDS-NeverRevealGroup: CN=Server Operators,CN=Builtin,DC=samba,DC=example,DC=c
om
msDS-NeverRevealGroup: CN=Backup Operators,CN=Builtin,DC=samba,DC=example,DC=c
om
msDS-NeverRevealGroup: CN=Account Operators,CN=Builtin,DC=samba,DC=example,DC=
com
msDS-RevealOnDemandGroup: CN=Allowed RODC Password Replication Group,CN=Users,
DC=samba,DC=example,DC=com
msDS-SupportedEncryptionTypes: 31
whenChanged: 20111005002343.0Z
msDS-KrbTgtLink: CN=krbtgt_2438,CN=Users,DC=samba,DC=example,DC=com
serverReferenceBL: CN=RODC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=C
onfiguration,DC=samba,DC=example,DC=com
msDFSR-ComputerReferenceBL: CN=RODC,CN=Topology,CN=Domain System Volume,CN=DFS
R-GlobalSettings,CN=System,DC=samba,DC=example,DC=com
servicePrincipalName: HOST/RODC
servicePrincipalName: HOST/RODC.samba.example.com
servicePrincipalName: GC/RODC.samba.example.com/samba.example.com
servicePrincipalName: RestrictedKrbHost/RODC
servicePrincipalName: RestrictedKrbHost/RODC.samba.example.com
pwdLastSet: 129622478230000000
userAccountControl: 83890176
uSNChanged: 6781
distinguishedName: CN=RODC,OU=Domain Controllers,DC=samba,DC=example,DC=com

# Referral
ref: ldap://samba.example.com/CN=Configuration,DC=samba,DC=example,DC=com

# returned 10 records
# 9 entries
# 1 referrals

This example is using the same search expression as above, although requesting only the name and managedBy attributes. Because managedBy is only used within some records, the others will not attempt to display it.

username@computername:~/Samba/samba-master$ bin/ldbsearch -H st/dc/private/sam.ldb '(objectclass=person)' name managedby
# record 1
dn: CN=LOCALDC,OU=Domain Controllers,DC=samba,DC=example,DC=com
name: LOCALDC

# record 2
dn: CN=LOCALRPCPROXY,CN=Computers,DC=samba,DC=example,DC=com
name: LOCALRPCPROXY

# record 3
dn: CN=RODC,OU=Domain Controllers,DC=samba,DC=example,DC=com
name: RODC
managedBy: CN=Administrator,CN=Users,DC=samba,DC=example,DC=com

# record 4
dn: CN=Administrator,CN=Users,DC=samba,DC=example,DC=com
name: Administrator

# record 5
dn: CN=S4MEMBER,CN=Computers,DC=samba,DC=example,DC=com
name: S4MEMBER

# record 6
dn: CN=dns-localdc,CN=Users,DC=samba,DC=example,DC=com
name: dns-localdc

# record 7
dn: CN=krbtgt_2438,CN=Users,DC=samba,DC=example,DC=com
name: krbtgt_2438

# record 8
dn: CN=krbtgt,CN=Users,DC=samba,DC=example,DC=com
name: krbtgt

# record 9
dn: CN=Guest,CN=Users,DC=samba,DC=example,DC=com
name: Guest

# Referral
ref: ldap://samba.example.com/CN=Configuration,DC=samba,DC=example,DC=com

# returned 10 records
# 9 entries
# 1 referrals

 

ldbmodify

Modifies a database according to the contents of an input file of LDIF composition.

Common input parameters:

-h help

-H ldburl

LDIF file

Example of usage:
username@computername:~/Samba/samba-master$ bin/ldbmodify -H st/dc/private/secrets.ldb LDIFfilename

The LDIF files used with ldbmodify are a special form of LDIF that specify what is to be changed, where, how, etc. An example is displayed below:


dn: cn=Ursula Hampster,ou=Alumni Association,ou=People,o=University of Michiga
n,c=TEST
changetype: modify
add: drink
drink: mango lassi
-
add: drink
drink: lemonade
-
delete: pager
-
replace: telephonenumber
telephonenumber: +61 2 6260 6012
telephonenumber: +61 412 666 929
-
delete: telephonenumber
telephonenumber: +61 2 6260 6012
-
delete: telephonenumber
telephonenumber: +61 412 666 929
-
add: telephonenumber
telephonenumber: +61 412 666 929

 
Note: Any line beginning with a space character is a continuation of the line immediately preceeding it (which isn’t obvious in these examples). Comments are denoted by # (eg, # I am a comment). There are more example LDIF files used within the samba test suites available in <samba-source-directory>/lib/ldb/tests. The dn attribute determines which record is to be modified.

 

ldbedit

Allows editing of record/s within an ldb database. Instead of feeding it a premade LDIF file as per ldbmodify, ldbedit takes a bunch of parameters (including search strings if desired) and generates an LDIF file on the fly that can then be modified using the editor of your choice (given with the -e input). The edited LDIF file then forms the input for the ldbmodify operation.

Common input parameters:

-h help

-H ldburl

-s search scope

-b basedn

-a all

-e editor of choice (eg, vim, emacs, etc)

-verbose

LDAP style search expression

attributes

Example of usage:
username@computername:~/Samba/samba-master$ bin/ldbedit -e vim -H st/dc/private/sam.ldb '(samaccountname=guest)'

Would generate the following LDIF file, anddisplay it within vim (ready for editing):


# editing 1 records
# record 1
dn: CN=Guest,CN=Users,DC=samba,DC=example,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Guest
description: Built-in account for guest access to the computer/domain
instanceType: 4
whenCreated: 20111005000123.0Z
whenChanged: 20111005000123.0Z
uSNCreated: 3563
uSNChanged: 3563
name: Guest
objectGUID: c6be74bb-1b6f-411d-aba9-9efbe465136f
userAccountControl: 66082
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 0
primaryGroupID: 514
objectSid: S-1-5-21-4122882817-868477147-3978206388-501
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: Guest
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samba,DC=example,DC=co
m
isCriticalSystemObject: TRUE
memberOf: CN=Guests,CN=Builtin,DC=samba,DC=example,DC=com
distinguishedName: CN=Guest,CN=Users,DC=samba,DC=example,DC=com

Once the contents of this file have been changed and saved, the modify takes place. The generated LDIF file has comments denoting how many records are within it, and the beginning of each new record.

 

ldbadd

This function takes an LDIF file and uses the contents to insert a new record into the LDB database. The distinguished name must be unique to all others within the database, and the LDIF file must comply with any applicable schema.

Common input parameters:

-h help

-H ldburl

LDIF file/s

Example of usage:
username@computername:~/Samba/samba-master$ bin/ldbadd -H st/dc/private/secrets.ldb LDIFfilename

 

ldbdel

The function removes records from the database according to the distinguished name. An arbitrary number of records can be removed by way of additional dns on the command line, or use of wildcards.
Common input parameters:

-h help

-H ldburl

-r recursive. Can also use –recursive control

dn of record/s to be deleted

Example of usage:
username@computername:~/Samba/samba-master$ bin/ldbmodify -H st/dc/private/secrets.ldb [dn1] [dn2*] [dn...]

 

 

Hidden and Operational Attributes

All operational attributes are hidden, but not all hidden attributes are operational. These attributes are not particularly well hidden, they just don’t show up in * search. You need to specify the name to get them.

Operation attributes are generated, not static. The data that they hold is generated from other attributes or from system information. They are read-only.

There are some non-operational, but hidden attributes which may be read-only, read-write or there are even some that are write-only (for example, changing password).

The database schema information contains an attribute called “SystemFlags”, which allows multiple values. If one of the values within this field is ‘FLAG_ATTR_IS_OPERATIONAL’ then this is a hidden or operational attribute.

Some operational attributes are:

  • replPropertyMetaData
  • nTSecurityDescriptor
  • msDS-BridgeHeadServersUsed
  • msDS-Entry-Time-To-Die
  • msDS-USNLastSyncSuccess

For example, we can view the ntSecurityDescriptor data for a record as follows:

username@computername:~/Samba/samba-master$ bin/ldbsearch -H st/dc/private/sam.ldb '(&(objectclass=person)(name=Guest))' name ntsecuritydescriptor

# record 1
dn: CN=Guest,CN=Users,DC=samba,DC=example,DC=com
nTSecurityDescriptor: O:DAG:DAD:AI(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWP
CRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)(A;;RPLCLORC;
;;PS)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a54-1e2f-1
1d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a56-1e2f-11d0-9819-00aa0040529b;;PS)(O
A;;RPWP;77b5b886-944a-11d1-aebd-0000f80367c1;;PS)(OA;;RPWP;e45795b2-9455-11d1
-aebd-0000f80367c1;;PS)(OA;;RPWP;e45795b3-9455-11d1-aebd-0000f80367c1;;PS)(OA
;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;;RS)(OA;;RP;4c164200-20c0-11d0-a768
-00aa006e0529;;RS)(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;;RS)(A;;RC;;;A
U)(OA;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;;AU)(OA;;RP;77b5b886-944a-11d1
-aebd-0000f80367c1;;AU)(OA;;RP;e45795b3-9455-11d1-aebd-0000f80367c1;;AU)(OA;;
RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)(OA;;CR;ab721a53-1e2f-11d0-9819-0
0aa0040529b;;WD)(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;;RS)(OA;;RPWP;bf
967a7f-0de6-11d0-a285-00aa003049e2;;CA)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58
d456d2;;S-1-5-32-560)(OA;;RPWP;6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32
-561)(OA;;RPWP;5805bc62-bdc9-4428-a5e2-856a0f4c185e;;S-1-5-32-561)(OA;CIID;RP
;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU
)(OA;CIID;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00a
a003049e2;RU)(OA;CIID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-4
5bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf9
67aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIID;RP;bc0ac240-79a9-11d0-9020-00c0
4fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;bc0ac240-79a9-11
d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIID;RP;59ba
2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;
CIID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa0030
49e2;RU)(OA;CIID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9
b07-ad6f015e5f28;RU)(OA;CIID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba
-0de6-11d0-a285-00aa003049e2;RU)(OA;CIID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f
608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIID;RP;b7c69e6d-2cc7-11d2-85
4e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIID;RP;b7c69e6d-
2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIID;
RPLCLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RPLCLORC;;bf967a9c
-0de6-11d0-a285-00aa003049e2;RU)(OA;CIID;RPLCLORC;;bf967aba-0de6-11d0-a285-00
aa003049e2;RU)(OA;CIID;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;CII
D;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)(A;CIID;LC;;;RU)(A;CIID;RPWPCRCCLCLORCWOWDS
DSW;;;BA)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6
-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1
;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
name: Guest

# Referral
ref: ldap://samba.example.com/CN=Configuration,DC=samba,DC=example,DC=com

# returned 2 records
# 1 entries
# 1 referrals

The ntSecurityDescriptor field is saved in binary format, and we can view it in readable format by using the –show-binary operator on the command line as follows:

username@computername:~/Samba/samba-master$ bin/ldbsearch -H st/dc/private/sam.ldb '(&(objectclass=person)(name=Guest))' name ntsecuritydescriptor --show-binary

# record 1
dn: CN=Guest,CN=Users,DC=samba,DC=example,DC=com
nTSecurityDescriptor: NDR: struct security_descriptor
revision : SECURITY_DESCRIPTOR_REVISION_1 (1)
type : 0x8c17 (35863)
1: SEC_DESC_OWNER_DEFAULTED
1: SEC_DESC_GROUP_DEFAULTED
1: SEC_DESC_DACL_PRESENT
0: SEC_DESC_DACL_DEFAULTED
1: SEC_DESC_SACL_PRESENT
0: SEC_DESC_SACL_DEFAULTED
0: SEC_DESC_DACL_TRUSTED
0: SEC_DESC_SERVER_SECURITY
0: SEC_DESC_DACL_AUTO_INHERIT_REQ
0: SEC_DESC_SACL_AUTO_INHERIT_REQ
1: SEC_DESC_DACL_AUTO_INHERITED
1: SEC_DESC_SACL_AUTO_INHERITED
0: SEC_DESC_DACL_PROTECTED
0: SEC_DESC_SACL_PROTECTED
0: SEC_DESC_RM_CONTROL_VALID
1: SEC_DESC_SELF_RELATIVE
owner_sid : *
owner_sid : S-1-5-21-4122882817-868477147-3978206388-512
group_sid : *
group_sid : S-1-5-21-4122882817-868477147-3978206388-512
sacl : *
sacl: struct security_acl
revision : SECURITY_ACL_REVISION_ADS (4)
size : 0x0078 (120)
num_aces : 0x00000002 (2)
aces: ARRAY(2)
aces: struct security_ace
type : SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT (7)
flags : 0x52 (82)
0: SEC_ACE_FLAG_OBJECT_INHERIT
1: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
0: SEC_ACE_FLAG_INHERIT_ONLY
1: SEC_ACE_FLAG_INHERITED_ACE
0x02: SEC_ACE_FLAG_VALID_INHERIT (2)
1: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0038 (56)
access_mask : 0x00000020 (32)
object : union security_ace_object_ctr(case 7)
object: struct security_ace_object
flags : 0x00000003 (3)
1: SEC_ACE_OBJECT_TYPE_PRESENT
1: SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT
type : union security_ace_object_type(case 1)
type : f30e3bbe-9ff0-11d1-b603-0000f80367c1
inherited_type : union security_ace_object_inherited_type(case 2)
inherited_type : bf967aa5-0de6-11d0-a285-00aa003049e2
trustee : S-1-1-0
aces: struct security_ace
type : SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT (7)
flags : 0x52 (82)
0: SEC_ACE_FLAG_OBJECT_INHERIT
1: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
0: SEC_ACE_FLAG_INHERIT_ONLY
1: SEC_ACE_FLAG_INHERITED_ACE
0x02: SEC_ACE_FLAG_VALID_INHERIT (2)
1: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0038 (56)
access_mask : 0x00000020 (32)
object : union security_ace_object_ctr(case 7)
object: struct security_ace_object
flags : 0x00000003 (3)
1: SEC_ACE_OBJECT_TYPE_PRESENT
1: SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT
type : union security_ace_object_type(case 1)
type : f30e3bbf-9ff0-11d1-b603-0000f80367c1
inherited_type : union security_ace_object_inherited_type(case 2)
inherited_type : bf967aa5-0de6-11d0-a285-00aa003049e2
trustee : S-1-1-0
dacl : *
dacl: struct security_acl
revision : SECURITY_ACL_REVISION_ADS (4)
size : 0x07d4 (2004)
num_aces : 0x0000002c (44)
aces: ARRAY(44)
aces: struct security_ace
type : SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x00 (0)
0: SEC_ACE_FLAG_OBJECT_INHERIT
0: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
0: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0024 (36)
access_mask : 0x000f01ff (983551)
object : union security_ace_object_ctr(case 0)
trustee : S-1-5-21-4122882817-868477147-3978206388-512
aces: struct security_ace
type : SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x00 (0)
0: SEC_ACE_FLAG_OBJECT_INHERIT
0: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
0: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0014 (20)
access_mask : 0x000f01ff (983551)
object : union security_ace_object_ctr(case 0)
trustee : S-1-5-18
##MASSIVE SNIP!!!
name: Guest

# Referral
ref: ldap://samba.example.com/CN=Configuration,DC=samba, DC=example,DC=com

# returned 2 records
# 1 entries
# 1 referrals

Note the MASSIVE SNIP – this contains a LOT of information, only a very small section is displayed above. We will go into detail on what this data means and how it is used within Samba in a later post.

 

How LDB Indexing works

Indexing allows for faster searching of the database, and a database can generally be modified to include any relevant field or attribute of importance that may be frequently searched upon. LDB is no different. LDB keeps its indexing information is the @INDEXLIST record. The @INDEXLIST record can have multiple values that can be indexed, and each of these is listed as an @IDXATTR attribute.

Indexes can be viewed, modified, inserted or deleted as per other database components. A schema defines which attributes should be indexed. Edit the schema if you wish to edit the index list, or edit the @INDEXLIST if using a schema-less database. A database containing a full schema completely overrides the @INDEXLIST, which then becomes only an approximation of the index listing. The schema provides more detailed indexing instructions, such as how to sort/compare each attribute type.

LDB offers two types of indexing: Attribute indexing or one level indexing. Attribute indexing increases speed for a search on a specific value for an attribute. One level indexing improves speed of searching all child objects of a given object. To perform this, we keep an index of every DN within the database and any child DNs thereof.

A planned addition to indexing is range indexing, where records within a range of integer values can be requested. This will be added to increase speed of a search used within replication, and will be discussed further when we get into replication.

LDB does not currently support prefix indexing, eg searching for “name=kell*”. This was decided as the loss in write performance was not worth the gain in read performance. It may be added in future versions if prefix searches are frequently required.

username@computername:~/Samba/samba-master$ bin/ldbsearch -H st/dc/private/secrets.ldb -s base -b @INDEXLIST

# record 1
dn: @INDEXLIST
@IDXATTR: cn
@IDXATTR: flatname
@IDXATTR: realm
distinguishedName: @INDEXLIST

# returned 1 records
# 1 entries
# 0 referrals

 

rootDSE

The rootDSE provides user accessible metadata about the database. Some parts are pointers into the database, some parts are external references, some parts are information required to gather further information or to gain access to further information.

The rootDSE is the only record that can be accessed without authentication.

Within the rootDSE there are many numbers that look reasonably like this: 1.2.840.113556.1.4.800 – this is called an OID (or Object IDentifier). OIDs are widely used within many different protocols (not just LDAP), and there is a central authority for assigning OID-space. These OIDs are able to be searched on the internet to locate what they reference, for example a google search on 1.2.840.113556.1.4.800 returns http://www.oid-info.com/get/1.2.840.113556.1.4.800, which states: “If the RootDSE supportedCapabilities attribute contains this OID, it means the LDAP server is an Active Directory server (Win2k and later).”. Many OIDs are visible within the example rootDSE below, and each can be looked up to check for their meaning.

username@computername:~/Samba/samba-master$ bin/ldbsearch -H ldap://localhost -s base -b''

# record 1

dn:
configurationNamingContext: CN=Configuration,DC=samba,DC=example,DC=com
defaultNamingContext: DC=samba,DC=example,DC=com
rootDomainNamingContext: DC=samba,DC=example,DC=com
schemaNamingContext: CN=Schema,CN=Configuration,DC=samba,DC=example,DC=com
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=samba,DC=example ,DC=com
supportedCapabilities: 1.2.840.113556.1.4.800
supportedCapabilities: 1.2.840.113556.1.4.1670
supportedCapabilities: 1.2.840.113556.1.4.1791
supportedCapabilities: 1.2.840.113556.1.4.1935
supportedCapabilities: 1.2.840.113556.1.4.2080
supportedLDAPVersion: 2
supportedLDAPVersion: 3
vendorName: Samba Team (http://samba.org)
isSynchronized: TRUE
dsServiceName: CN=NTDS Settings,CN=COMPUTERNAME,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=example,DC=com
serverName: CN=COMPUTERNAME,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=example,DC=com
dNSHostName: computername.samba.example.com
ldapServiceName: samba.example.com:computername$@SAMBA.EXAMPLE.COM
currentTime: 20111005012227.0Z
supportedControl: 1.2.840.113556.1.4.841
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 1.2.840.113556.1.4.1504
supportedControl: 1.2.840.113556.1.4.801
supportedControl: 1.2.840.113556.1.4.801
supportedControl: 1.2.840.113556.1.4.805
supportedControl: 1.2.840.113556.1.4.529
supportedControl: 1.2.840.113556.1.4.417
supportedControl: 1.2.840.113556.1.4.2064
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.1340
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 1.2.840.113556.1.4.1341
namingContexts: DC=samba,DC=example,DC=com
namingContexts: CN=Configuration,DC=samba,DC=example,DC=com
namingContexts: CN=Schema,CN=Configuration,DC=samba,DC=example,DC=com
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: NTLM
highestCommittedUSN: 3731
domainFunctionality: 2
forestFunctionality: 2
domainControllerFunctionality: 4
isGlobalCatalogReady: TRUE

# returned 1 records
# 1 entries
# 0 referrals

An excellent source of what the rootDSE contains is available at http://www.techgalaxy.net/Docs/Dev/LDAPv3%20RootDSE%20Overview.htm

Some parts of the rootDSE important to Samba are:
The naming contexts are extremely important within ActiveDirectory, these form sub-sections of the database that one would expect to reasonably contain a relevant subset of data. For example, configurationNamingContext points to where all configuration data may be found, defaultNamingContext would locate other subsections such as users, schemaNamingContext would point to the location of the schema information. On that last example, all of the contents of the schema lie within the subtree given by the schemaNamingContext, therefore the database is “introspective” – you need to look within the database for a description of itself. Users can query this subtree of the database to gain information on how the database as a whole should look and behave.

supportedCapabilities uses OIDs to describe what capabilities the server has.

supportedLDAPVersion displays which varieties of LDAP this server supports.

isSynchronized contains TRUE if replicated

dsServiceName is critical in ActiveDirectory. Each server in AD contains an NTDS (New Technology Directory Services) record containing all NTDS settings – information specific to that particular server, and the dsServiceName contains the DN to the object containing these settings. These settings are not contained within the rootDSE due to replication. The rootDSE is not replicated, but the configuration partition is replicated all over the forest, and by keeping these settings within a replicates partition we allow all domain controllers fast access to everyone else’s settings – ie to see capabilities, etc.

serverName points to an object that contains information such as server, DNS settings, netbios settings, etc.

dNSHostName is included within the rootDSE because Kerberos relies upon knowing the hostname to correctly authenticate, so we need access to this information BEFORE we can authenticate, therefore it needs to be located within a record that needs no authentication, thus the rootDSE.

supportedControl uses OIDs to describe what controls are supported by the server. Controls are a way that an LDAP client can ask for different behaviour for a particular operation from a server. There are only a few controls that an AD administrator might want to use, but controls can be very useful for developers. More information on these controls will be included in a later post.

namingContexts is a sub-section or partition of the database. The significance is that a search will, by default, not cross a naming context boundary. A naming context can be a child of another, in a hierarchy. If we do a search that starts at a lower level it will not, by default, cross boundaries to other naming contexts. –cross-ncs option (phantom root option, thus called because it effectively declares the root of the subtree to be at a higher level even though we are searching from lower) allows you to cross these boundaries.

highestCommittedUSN declares how many changes have been made to this database.

domainFunctionality and forestFunctionality when MS changes the way AD works they add a new functionailty level. This tells what functionality level the machine has been upgraded to

 

Other

During the making of this post, a bug was discovered within ldbedit that would leave a transaction open upon a failed transaction. The following patch was created to address this problem:

commit fc7d7ea4b56db01766491f6ec1a4b6b0c35cd188
Author: Kelly Yeoh
Date: Wed Oct 5 11:26:20 2011 +1030

ldb: Fix transaction cancel on failed ldbedit
When ldbedit fails to modify a record, it needs to cancel the transaction
to ensure that no transactions are left open on exit.

diff --git a/lib/ldb/tools/ldbedit.c b/lib/ldb/tools/ldbedit.c
index aaf6d80..cf4ab3f 100644
--- a/lib/ldb/tools/ldbedit.c
+++ b/lib/ldb/tools/ldbedit.c

@@ -152,6 +152,7 @@ static int merge_edits(struct ldb_context *ldb,
if (ret != -1) {
modifies += (unsigned int) ret;
} else {
+ ldb_transaction_cancel(ldb);
return -1;
}
}

 

Coming up:

  • Magic @ records
  • Partitions
  • LDB controls
  • Operational attributes
  • Credentials
  • ACLs
  • Module chaining
  • Linked attributes

Samba and virtual machines – part 1. VirtualBox

  • November 14, 2011 10:34 am

As a brief interlude from our LDB explorations/waffle, I thought I’d throw in some Virtual Machine randomness. Samba works across many platforms, and it would be ridiculous for every developer to have a box for every operating system that we need to work with, so we solve that by running these operating systems within virtual machines on far fewer real machines. I’ve been meaning to do some posts on different VMs that one might use, and the best setup for using with Samba. As such, here we will take a looky at Oracle VirtualBox. I’ll add the likes of KVM and QEMU some time in the relatively near future.

I may add some screen shots at some stage.

Oracle VirtualBox

This is to help ensure that your virtualbox setup is going to work well with Samba. There are a few nuances with some of the settings that may cause problems further down the track, and getting it right from the start can be a huge time saver.

If you already have a virtual machine set up using VirtualBox, you must ensure that it is powered down before you can edit the settings. The settings button will be greyed out for any machine in a saved/running state.

 

Downloading/Installing

The VirtualBox website has the installs available for download, or instructions on installing for debian/ubuntu and rpm based distros.
http://www.virtualbox.org/wiki/Linux_Downloads

 

Creating a new virtual machine

To run from the command prompt:
$ virtualbox

Alternatively there may be an icon available within your GUI from the applications menu, likely under System Tools.

The “Oracle VM VirtualBox Manager” window is the main screen of the application. It displays a list of available virtual machines on the left (empty if you have not created any), and information about the currently selected machine on the right. There are buttons at the top of the screen for adding, removing, manipulating or starting virtual machines.

  • Click the “new” button, then Next.
  • Insert a name for your virtual machine (something that makes sense for what its function shall be), and select the operating system that it will be running (the OS selection determines the logo displayed for ease of identification and use). Click Next
  • Use the slider to select Base Memory Size, or insert text directly into the text box to the right of the slider. Something between 512 and 1024 should suffice. More is better, keeping in mind that you may want to run multiple virtual machines at once and how much memory you have available on your system. Click Next
  • Ensure “Boot Hard Disk” is selected, and “Create new hard disk”. Click Next, then Next again as you enter the Create New Virtual Disk Wizard
  • Select Dynamically expanding storage as this will create a small file that only expands to use real disk space as it is needed, up to your determined upper limit which is yet to be set. Click Next
  • The Location is the file name and location that you wish to use to save your virtual disk to. It defaults to the name of your virtual machine at “$home/VirtualBox VMs/”. Use the slider to set the upper limit size for your virtual disk, or insert text directly into the text box to the right of the slider. 20GB should suffice. Click Next
  • A summary of your new disk will be displayed. Click Finish.
  • A summary of your new virtual machine will be displayed. Click Finish.

 

Setting up the virtual machine

Looking at the “Oracle VM VirtualBox Manager” window, you should now see your new virtual machine listed to the left of the screen. If you click it you can see information about it to the right of the screen. Now we need to ensure that it is set up sanely to work with Samba.

  • Ensure that your new virtual machine is selected, click the “Settings” button at the top of the window. A smaller window is displayed with a list of settings categories to the left, and changeable attributes to the right.
  • Select the “System” category. This allows you to modify the base memory used if required, and also the boot order. Assuming that you will be using an ISO file as your windows installation media, change the boot order to boot from CD/DVD-ROM, then Hard Disk (select the drive you wish to manipulate, then use the up and down arrows accordingly). Deselect any other drives as they are unnecessary and only increase boot time while seeking media.
  • Select the “Storage” category. This displays a Storage Tree to the left where we can see what disks are currently setup for the environment, and a list of attributes for those disks to the right.
    • Set up the CD/DVD-ROM to point to your ISO
      • Select the Empty CD/DVD icon within the Storage Tree
      • Within the Attributes section of the screen, click the CD/DVD icon/button to select where the CD/DVD media will be found
      • Choose a virtual CD/DVD disk file
      • Locate your ISO file and click the “Open” button at the bottom-right of the window.
    • Change your Hard Disk to be IDE
      • Select the IDE Controller from within the Storage Tree
      • Click the “Add Hard Disk” button to the right of the IDE Controller, or click the “Add Attachment” button below the Storage Tree, then “Add Hard Disk”.
      • Click “Choose existing disk”
      • Locate your virtual disk (default at $home/VirtualBox Vms/”nameOfVirtualMachine.vdi”), then click the “Open” button at the bottom-right of the window.
    • Remove the SATA drive – you will notice some red text on your window reading “Invalid settings detected” so long as you have both the SATA and the IDE drive pointing to the same virtual disk.
      • Select the SATA disk and click the “Remove Attachment” button below the Storage Tree
      • Select the SATA Controller and click the “Remove Controller” button below the Storage Tree.
  • Select the “Audio” category, deselect “Enable Audio”
  • Select the “Network” category
    • Ensure that “Attached to” is set to “Bridged Adapter” and NOT NAT
    • Select eth0 in the “Name” list
  • Click “OK” to save these settings. Review changes on the right side of the Oracle VM VirtualBox Manager.

 

Installing Windows

Select your virtual machine from the Oracle VM VirtualBox Manager window, then click the “Start” button at the top of the window. This will boot the machine from the CD/DVD-ROM as per your setup, and assuming that everything has been done correctly will begin the Windows Install process. Work your way through the wizard, and then when it gets to copying/expanding files it’s a great time to get a tea or coffee ;)

You will notice that you cannot use your mouse within your virtual machine until you click within the window somewhere. It then steals your mouse (you can only use it within your virtual machine window) until you press the right-ctrl key on your keyboard. This can be fixed after the install is complete.

Once the install has finished it will reboot and request that you insert a new password. To log in to windows thereafter you will need to press “Ctrl-Alt-Del” to bring up the login screen, but the virtual machine won’t accept the character combination when pressed from your keyboard. This is solved by clicking the “Machine” menu at the top of the screen, then selecting “Insert Ctrl-Alt-Del”. You will need to ensure that the virtual machine is not controlling your mouse to perform this function.

 

When Windows is installed and working

      • FREE YOUR MOUSE!!! Click on the “Devices” menu at the top of your virtual windows environment (ensure that it isn’t controlling your mouse at the time), then select “Install Guest Additions”. This will install some software to make your virtual machine behave a little more sanely, including freeing your mouse pointer so that it no longer gets captured by the window and can be freely moved and used as normal.
      • Change the boot order so that your machine no longer attempts to boot from CD/DVD-ROM. It will no longer attempt to install windows as the virtual CD/DVD is now pointing to the file required for “Install Guest Additions”. Regardless of this, it is faster to boot directly from Hard Disk rather than test for other bootable media before booting from Hard Disk.
        • Power down your windows environment if running. The “Settings” button is greyed out an inaccessible to a running machine.
        • Select your virtual machine from the Oracle VM VirtualBox Manager and click the “Settings” button.
        • Select the “System” category
        • Move the Hard Disk to the top location within the boot order, and deselect the CD/DVD-ROM
        • Click “OK” to save
      • Take Snapshots. These are an excellent way of being able to boot your machine at any given state. A good time for a first snapshot is when you have a fully functioning windows environment with guest additions, logged in. This will save the need to insert the ctrl-alt-del characters from the menu
        • Get your machine to the state you wish to save it in, then click the “machine” menu at the top of the screen, select “Take Snapshot”
        • Give your snapshot an appropriate name that well describes the current state. You will probably take multiple snapshots along the way, so it is useful to be able to determine which does what. Add a description if so desired.
        • Click the “OK” button to save

At this point you should have a sanely working VirtualBox Windows environment perfect for use with Samba.

New computer!!!

  • November 10, 2011 11:04 am

I finally bit the bullet and purchased some new hardware. My work laptop keeps freezing up continuously, and it was likely never going to be thrilled about running everything that I would be needing to run on it. So, I now have a sexy new desktop capable of doing all that I want (and then some), running smoothly across my 2*24″ wide screens at 1920*1200 resolution. This is fun!!!

Specs:

  • Intel Core i5-2500 3.3Ghz 1155pin
  • Patriot Gamer2 DDR3 (16 GB thereof FTW!!)
  • ASUS P8Z68-V Z68 DDR3 Intel 1155pin motherboard
  • Gigabyte 1Gb 6870 PCI-E VGA card
  • WD Green 2TB HDD
  • Blu-ray writer

Running Ubuntu 11.10 quite happily, although am yet to determine my preference for window manager… So far they all irk me in one way or another. (It may also have a windows partition for iTunes and gaming... Just quietly...)

This should quite joyfully run all my VMs for Samba dev work :)

Overall, happy :)



LDB part 1 (of god only knows how many!!!) – Introduction

  • November 2, 2011 12:37 am

LDB Posts

 

Introduction

LDB is the database engine used within Samba. It is a light-weight, LDAP-*like* database, but not completely LDAP compliant.

Raw LDB is not even close to LDAP compliant, we use modules to ensure compliance. We aim for LDAP compliance where possible, although Samba’s higher priority is Active Directory compliance. We do aim for LDAP compliance where it doesn’t conflict.

LDB is transactional (allowing multiple changes to be made to ensure that changes all are applied as expected prior to committing them to the database, if an error occurs all changes are backed out and the database is left “untouched”) and modular (allowing different information or functionality to be added or removed according to how a database is needed to perform).

The main LDB website is located at http://ldb.samba.org

All of the examples listed below will be using the ldb databases created by the self test suite included with Samba. These databases are located at {samba_build_directory}/st/dc/private/

 

What is LDAP?

Lightweight Directory Access Protocol is the dominant database used by organisations around the world to manage their, well, organisation – eg all of their directory services (things such as person information, IT information (machine details, print services, etc), all information pertaining to the business that would need to be “directoried”). Many large companies use LDAP within their server and business tools, eg IBM, Oracle, HP, Novell to name but a few.

LDAP is an incredibly complex protocol, and there are many books and RFCs available to read about it. The RFC probably most of note is this one: RFC4511 – Lightweight Directory Access Protocol (LDAP): The Protocol

Since this post aims to address LDB, I’ll go further into LDAP and how we use it at a later date. For now, some basic LDAP information (and some nice links) are available here: http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol

 

Active Directory

Active Directory is a Microsoft product, based around LDAP, but uses other pieces to make up the whole such as Kerberosv5, DNS, MS-RPC, SMB (CIFS). Other protocols are used within Active Directory, but these form the major components.

These components are used as follows:
LDAP database
kerberos authentication system
dns machine names – not as trivial as may be expected, this forms a fairly large part of AD and will probably warrant its own post in the near future. If you want this, and I forget, ping me!! Really :)
MS-RPC remote procedure calls, if you can’t do **something** over LDAP you can generally use MS-RPC. With MS-RPC, you create a protocol specification using IDL files, compiled using IDL compilers, which creates a remote protocol procedure for RPC calls. This also warrants its own post to demonstrate why, how, where, etc. Soon!
SMB/CIFS for file sharing

There are several sources of information available on Active Directory. Microsoft has many useful documents available here:
http://msdn.microsoft.com/en-us/library/gg258393%28v=PROT.13%29.aspx

And probably the one of most use, particularly within the Samba team, is the Active Directory Technical Specification. For example, this document gives valuable information about the database schema which is useful for ensuring compatibility with data sources within Samba (see section 3.1.1.3.1.1 Schema, page 123 of 521, using version 30.0 of the document, released 23rd September 2011)
http://msdn.microsoft.com/en-us/library/cc223122%28v=PROT.13%29.aspx

 

TDB

TDB is the Trivial DataBase. This is a very simple key/value pair database (where each record has a key and some data associated with that key). TDB stores data in binary format, and supports transactions.

The main TDB website is located at http://tdb.samba.org

Some basic operations

tdb_open Opens a database
tdb_close Closes a database
tdb_delete Deletes a record with a given key
tdb_exists Checks for existence of a record with a given key
tdb_fetch Retrieves a record with a given key
tdb_store Allows insertion, modification or replacement of a record

TDB also has other functionality such as enumerating all records by asking for a list of all keys, start a transaction, do any number of operations and then cancel or commit transaction, etc.

Some typical tdb data might look as follows (taken from the samba secrets.ldb database used with the self test suite). This clearly displays the key and value pair of each record, with each record delimited by curly braces (in a dump format):

username@computername:~/Samba/samba-master$ tdbdump st/dc/private/secrets.ldb
{
key(12) = "DN=@MODULES\00"
data(45) = "g\19\01&\01\00\00\00@MODULES\00@LIST\00\01\00\00\00\0D\00\00\00samba_secrets\00"
}
{
key(43) = "DN=FLATNAME=SAMBADOMAIN,CN=PRIMARY DOMAINS\00"
data(702) = "g\19\01&\11\00\00\00flatname=SAMBADOMAIN,cn=Primary Domains\00msDS-KeyVersionNumber\00\01\00\00\00\01\00\00\001\00objectClass\00\03\00\00\00\03\00\00\00top\00\0D\00\00\00primaryDomain\00\0E\00\00\00kerberosSecret\00objectSid\00\01\00\00\00\18\00\00\00\01\04\00\00\00\00\00\05\15\00\00\00\013\BE\F5\DB\E8\C33\B4\9C\1E\ED\00privateKeytab\00\01\00\00\00\0E\00\00\00secrets.keytab\00realm\00\01\00\00\00\11\00\00\00SAMBA.EXAMPLE.COM\00saltPrincipal\00\01\00\00\000\00\00\00host/localdc.samba.example.com@SAMBA.EXAMPLE.COM\00samAccountName\00\01\00\00\00\08\00\00\00LOCALDC$\00secret\00\01\00\00\00\11\00\00\00machinelocDCpass1\00secureChannelType\00\01\00\00\00\01\00\00\006\00servicePrincipalName\00\02\00\00\00\0C\00\00\00HOST/localdc\00\1E\00\00\00HOST/localdc.samba.example.com\00objectGUID\00\01\00\00\00\10\00\00\00H\D9_\D5+\E3\C0G\B7\CF\F6\FB\B1m\EB\1E\00whenCreated\00\01\00\00\00\11\00\00\0020111005000140.0Z\00whenChanged\00\01\00\00\00\11\00\00\0020111005000140.0Z\00uSNCreated\00\01\00\00\00\01\00\00\007\00uSNChanged\00\01\00\00\00\01\00\00\007\00name\00\01\00\00\00\0B\00\00\00SAMBADOMAIN\00flatname\00\01\00\00\00\0B\00\00\00SAMBADOMAIN\00"
}
{
key(31) = "DN=@INDEX:FLATNAME:SAMBADOMAIN\00"
data(111) = "g\19\01&\02\00\00\00@INDEX:FLATNAME:SAMBADOMAIN\00@IDXVERSION\00\01\00\00\00\01\00\00\002\00@IDX\00\01\00\00\00'\00\00\00flatname=SAMBADOMAIN,cn=Primary Domains\00"
}
{
key(15) = "DN=@ATTRIBUTES\00"
data(153) = "g\19\01&\04\00\00\00@ATTRIBUTES\00cn\00\01\00\00\00\10\00\00\00CASE_INSENSITIVE\00flatname\00\01\00\00\00\10\00\00\00CASE_INSENSITIVE\00realm\00\01\00\00\00\10\00\00\00CASE_INSENSITIVE\00sAMAccountName\00\01\00\00\00\10\00\00\00CASE_INSENSITIVE\00"
}

Note: this contains only a small section of the data returned from the secrets.ldb database.

Within Samba, the key is always the distinguished name (DN) for an object, and the data contains all of the attributes for that object. Every object in LDAP has a distinguished name that distinguishes it from any other (unique, as the name would suggest ;) ).

 

How LDB uses TDB

LDB basically sits on top of TDB and manipulates the data into an LDAP-like structure. As a very basic example, we can imagine a stack like structure with TDB residing at the base, then LDB modules are stacked on top that describe the functionality or rules required for this database (for example, schema information), and the LDB API sits on top taking and servicing requests.

So where TDB uses a key/value pair that is quite confusing to look at:

{
key(43) = "DN=FLATNAME=SAMBADOMAIN,CN=PRIMARY DOMAINS\00"
data(702) = "g\19\01&\11\00\00\00flatname=SAMBADOMAIN,cn=Primary Domains\00msDS-KeyVersionNumber\00\01\00\00\00\01\00\00\001\00objectClass\00\03\00\00\00\03\00\00\00top\00\0D\00\00\00primaryDomain\00\0E\00\00\00kerberosSecret\00objectSid\00\01\00\00\00\18\00\00\00\01\04\00\00\00\00\00\05\15\00\00\00\013\BE\F5\DB\E8\C33\B4\9C\1E\ED\00privateKeytab\00\01\00\00\00\0E\00\00\00secrets.keytab\00realm\00\01\00\00\00\11\00\00\00SAMBA.EXAMPLE.COM\00saltPrincipal\00\01\00\00\000\00\00\00host/localdc.samba.example.com@SAMBA.EXAMPLE.COM\00samAccountName\00\01\00\00\00\08\00\00\00LOCALDC$\00secret\00\01\00\00\00\11\00\00\00machinelocDCpass1\00secureChannelType\00\01\00\00\00\01\00\00\006\00servicePrincipalName\00\02\00\00\00\0C\00\00\00HOST/localdc\00\1E\00\00\00HOST/localdc.samba.example.com\00objectGUID\00\01\00\00\00\10\00\00\00H\D9_\D5+\E3\C0G\B7\CF\F6\FB\B1m\EB\1E\00whenCreated\00\01\00\00\00\11\00\00\0020111005000140.0Z\00whenChanged\00\01\00\00\00\11\00\00\0020111005000140.0Z\00uSNCreated\00\01\00\00\00\01\00\00\007\00uSNChanged\00\01\00\00\00\01\00\00\007\00name\00\01\00\00\00\0B\00\00\00SAMBADOMAIN\00flatname\00\01\00\00\00\0B\00\00\00SAMBADOMAIN\00"
}

LDB would output the same data as follows, in a much more readable fashion:

dn: flatname=SAMBADOMAIN,cn=Primary Domains
msDS-KeyVersionNumber: 1
objectClass: top
objectClass: primaryDomain
objectClass: kerberosSecret
objectSid: S-1-5-21-4122882817-868477147-3978206388
privateKeytab: secrets.keytab
realm: SAMBA.EXAMPLE.COM
saltPrincipal: host/localdc.samba.example.com@SAMBA.EXAMPLE.COM
samAccountName: LOCALDC$
secret: machinelocDCpass1
secureChannelType: 6
servicePrincipalName: HOST/localdc
servicePrincipalName: HOST/localdc.samba.example.com
objectGUID: d55fd948-e32b-47c0-b7cf-f6fbb16deb1e
whenCreated: 20111005000140.0Z
whenChanged: 20111005000140.0Z
uSNCreated: 7
uSNChanged: 7
name: SAMBADOMAIN
flatname: SAMBADOMAIN
distinguishedName: flatname=SAMBADOMAIN,cn=Primary Domains

 

LDB Modules

Modules can be stacked on top of each other to add rules or functionality. As an example a schema can be added as a module to a database to ensure that the data therein complies with set rules (so a database can be forced to be entirely LDAP compliant, as an example).

Another example of a module used with LDB is the password hash module. This sits between the database and the LDB API and ensures that passwords match password policies, and also performs any required encryption/decryption thereof.

 

More on Schemas

Raw LDB is schema-less, but it is designed to allow modules to enforce schema and add functionality. To begin with, there are no rules and regulations, and the LDB API allows for fast and easy setup of a database with minimal overheads. Further overheads can be added as required using modules (as mentioned above), and schema support can be added in this way.

It is through these schemas that we ensure that our databases are LDAP compliant. In this way, we can use LDB within Samba to allow us to communicate with other LDAP databases, and (what we are really aiming for) Active Directory.

Schema-less

an example of a schema-less database used within Samba is the secrets.ldb database. The reason that secrets.ldb doesn’t need a schema is because it is used only internally within Samba, so there is no need for the overhead of a schema. Because there is no schema attached, arbitrary data can be inserted into the database, for example we can modify a record to include a new attribute called “pet” with a value of our choosing, eg “cat”, and this is a perfectly acceptable thing to do. It is also possible that I have a thing for cats ;)

# editing 1 records
# record 1

dn: samAccountName=dns-localdc,CN=Principals
msDS-KeyVersionNumber: 1
objectClass: top
objectClass: secret
objectClass: kerberosSecret
privateKeytab: dns.keytab
realm: SAMBA.EXAMPLE.COM
sAMAccountName: dns-localdc
secret: DZCb)wH]7uoDEd:q+ZmoC#P==0YAP(7.Dbz$6RA0l!KLx3sr#0]oV>eij3,=y@StOKNCn?k28ik%McPo&tPLnoyt0koqxm@NFe(aRn;YyD4fIkK4w>K=zBjUkv_LEGUCcoK_:7Q#0UC2CZx0WOV6pHu$aO
servicePrincipalName: DNS/samba.example.com
servicePrincipalName: DNS/localdc.samba.example.com
objectGUID: 2f1d38f3-49b2-4baa-b77c-14c5daebadc0
whenCreated: 20111005000141.0Z
uSNCreated: 8
name: dns-localdc
pet: cat
whenChanged: 20111005004406.0Z
uSNChanged: 9
distinguishedName: samAccountName=dns-localdc,CN=Principals

(note the sneaky inclusion of the new attribute just after the name attribute. Also note the plain text way in which the data has been written, this is called LDIF – LDAP Data Interchange Format. More on this in a later post)

Schema controlled

We can add a schema module to a database to ensure that it follows set rules. A schema would generally include information about what attributes are allowed, and constraints on data type, size, etc. Within Samba, the sam.ldb database is controlled by a schema. Schemas are only needed where the database communicates externally, so a schema provides valuable protection to ensure data compatibility. If we were to make an attempt to include the same pet: cat attribute and value pair within the sam.ldb database, the following error would be returned:

Controllers,DC=samba,DC=example,DC=com - objectclass_attrs: attribute 'pet' on entry 'CN=LOCALDC,OU=Domain Controllers,DC=samba,DC=example,DC=com' was not found in the schema!

The schema for the sam.ldb database is compatible with the schema described within the Microsoft Active Directory Technical Specification http://msdn.microsoft.com/en-us/library/cc223122%28v=PROT.13%29.aspx

The schemas used are available for viewing online via the http accessible copy of Samba code.

http://samba.org/ftp/unpacked/samba_4_0_test/source4/setup/ad-schema/MS-AD_Schema_2K8_R2_Attributes.txt defines the attributes regardless of objectClass. The classes file determines which attributes are associated with each class

http://samba.org/ftp/unpacked/samba_4_0_test/source4/setup/ad-schema/MS-AD_Schema_2K8_R2_Classes.txt defines the objectClass and what attributes are allowed for a given class

 

coming up:

  • LDB tools (and examples)
  • Hidden attributes
  • How LDB indexing works
  • rootDSE

Stripey’s visit with Alyssa

  • October 23, 2011 6:14 pm

Alyssa was recently given a toy to take home from her child care centre. Stripey, the purple zebra. Stripey comes with a book of all of her adventures from all of the houses that she visits, and parents are expected to put together a couple of pages of photos and story to go along with Stripey’s visit. Today, we did this (albeit with green text and borders for the printed version)

Stripey’s visit with Alyssa

Alyssa and Stripey

A day in the life…

While Stripey was visiting, we went for many car rides

Driving

 

We did some shopping

shopping

 

We had bedtime stories and watched some Charlie and Lola cartoons with friends

Bed time

 

Fun things

While Stripey was visiting, we played and jumped and ran around at Team Trampoline

Team Trampoline

 

We went to ballet lessons

Ballet Lessons

We spent some time at Mummy’s favourite cafe roaring like dinosaurs at the owner and eating like kings!

The Grind, Norwood

 

At Alyssa’s Mummy’s house

While Stripey was visiting, we ate dinner together

Eating Dinner

Stripey got stalked by a leopard

Stalked by a leopard

 

Then they made friends

Making friends

 

At Alyssa’s Daddy’s house

While Stripey was visiting, we looked through some recipe books and cooked some yummy things.

Reading recipe books

 

We built a chicken coop.

Chicken coop

Chicken coop

 

And put chickens in it!

Chickens!

Chickens!!!

We played on the trampoline

Trampoline

 

Road trip

While Stripey was visiting, Mummy took us for a road trip. We saw lots of flowers by the road!

Flowers by the road side near Nhill, Victoria. Gazillions of Gazanias!

We looked at a windmill farm in Buangor, and learned about sustainable and renewable energy.

Windmill farm in Buangor, Victoria

We stopped at The Giant Koala and saw a wallaby with a baby joey in her pouch!

Wallaby with Joey

 

Stripey had LOTS of fun with Alyssa!

Toy butterflies