[Samba] How do I list computers in the domain

[Robert Moskowitz]

I want to see what computers have joined the domain. Not just those
currently connected as smbtree seems to do.



--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[mathias dufresne]

You can use ADUC tool which is part of RSAT.
You can also use ldbsearch:
ldbsearch -H $sam '(objectclass=computer)' dn

More info on ldbsearch and ldb tools there:
https://wiki.samba.org/index.php/LDB

[Robert Moskowitz]

On 09/17/2015 04:07 AM, mathias dufresne wrote:
> You can use ADUC tool which is part of RSAT.

Don't have RSAT on a computer yet, and anyway I want to do this on the
server, not a client.

> You can also use ldbsearch:
> ldbsearch -H $sam '(objectclass=computer)' dn

Had to install ldb-tools on the ClearOS system and got:

# returned 0 records
# 0 entries
# 0 referrals

Yet I know there are two computers joined to this PDC.

Same return on the new AD, but that is not supprising, given the source
of the problem for the migration of the users.

> More info on ldbsearch and ldb tools there:
> https://wiki.samba.org/index.php/LDB

More reading to do! :)

[Rowland Penny]

On 17/09/15 18:28, Robert Moskowitz wrote:
>
>
> On 09/17/2015 04:07 AM, mathias dufresne wrote:
>> You can use ADUC tool which is part of RSAT.
>
> Don't have RSAT on a computer yet, and anyway I want to do this on the
> server, not a client.
>
>> You can also use ldbsearch:
>> ldbsearch -H $sam '(objectclass=computer)' dn
>
> Had to install ldb-tools on the ClearOS system and got:
>
> # returned 0 records
> # 0 entries
> # 0 referrals
>
> Yet I know there are two computers joined to this PDC.

You need to run this on the DC and replace '$sam' with the path for
sam.ldb i.e.

ldbsearch -H /var/lib/samba/private/sam.ldb '(objectclass=computer)' dn

[Robert Moskowitz]

On 09/17/2015 03:26 PM, Rowland Penny wrote:
> On 17/09/15 18:28, Robert Moskowitz wrote:
>>
>>
>> On 09/17/2015 04:07 AM, mathias dufresne wrote:
>>> You can use ADUC tool which is part of RSAT.
>>
>> Don't have RSAT on a computer yet, and anyway I want to do this on
>> the server, not a client.
>>
>>> You can also use ldbsearch:
>>> ldbsearch -H $sam '(objectclass=computer)' dn
>>
>> Had to install ldb-tools on the ClearOS system and got:
>>
>> # returned 0 records
>> # 0 entries
>> # 0 referrals
>>
>> Yet I know there are two computers joined to this PDC.
>
> You need to run this on the DC and replace '$sam' with the path for
> sam.ldb i.e.
>
> ldbsearch -H /var/lib/samba/private/sam.ldb '(objectclass=computer)' dn

OK. that works for the sernet samba AD, but there is no sam.ldb on
ClearOS. Going to have to dig deeper to find what file they are using.

thanks

[L.P.H. van Belle]

Sure there is a sam.ldb. if you cant find it install mlocate, type updatedb, and locate sam.ldb

Or if you type samba -b

You have all your samba folders, it should be in one of these, and normaly in the private_dir folder.

Greetz,

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Robert Moskowitz
> Verzonden: donderdag 17 september 2015 22:44
> Aan: Rowland Penny; sa...@lists.samba.org
> Onderwerp: Re: [Samba] How do I list computers in the domain

[L.P.H. van Belle]

And if you find the sam.ldb

Try :

ldbsearch -H /var/lib/samba/private/sam.ldb '(dNSHostName=*)' | grep dNSHostName
it wil list only the computers which joined the domain.

Greetz,



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens L.P.H. van Belle
> Verzonden: vrijdag 18 september 2015 8:30
> Aan: sa...@lists.samba.org

[Rowland Penny]

Clearos appears to be using a version of LDAP, probably OPENLDAP, so
you will need to use the ldap-utils tools (ldapsearch etc), bit rusty on
those, so suggest a trip to google :-)

Rowland

[mathias dufresne]

Ldapsearch filter are the same as those used by ldbsearch, at least for
simple filters. That means you can use filters already given.

[Robert Moskowitz]

On 09/18/2015 02:30 AM, L.P.H. van Belle wrote:
> Sure there is a sam.ldb. if you cant find it install mlocate, type updatedb, and locate sam.ldb

[root@homebase samba]# updatedb
[root@homebase samba]# locate sam.ldb
[root@homebase samba]#

No sam.ldb :(

Don't know what they called it instead. Will probably have to ask on
their forum.

> Or if you type samba -b

[root@homebase samba]# samba -b
-bash: samba: command not found

> You have all your samba folders, it should be in one of these, and normaly in the private_dir folder.

Do you see it in here:

/var/lib/ldap/sambaDomainName.bdb
/var/lib/ldap/sambaGroupType.bdb
/var/lib/ldap/sambaPrimaryGroupSID.bdb
/var/lib/ldap/sambaSID.bdb
/var/lib/ldap/sambaSIDList.bdb
/var/lib/ldap/backup.1424429165/sambaDomainName.bdb
/var/lib/ldap/backup.1424429165/sambaGroupType.bdb
/var/lib/ldap/backup.1424429165/sambaPrimaryGroupSID.bdb
/var/lib/ldap/backup.1424429165/sambaSID.bdb
/var/lib/ldap/backup.1424429165/sambaSIDList.bdb
/var/lib/ldap/backup.1442564646/sambaDomainName.bdb
/var/lib/ldap/backup.1442564646/sambaGroupType.bdb
/var/lib/ldap/backup.1442564646/sambaPrimaryGroupSID.bdb
/var/lib/ldap/backup.1442564646/sambaSID.bdb
/var/lib/ldap/backup.1442564646/sambaSIDList.bdb
/var/lib/samba/account_policy.tdb
/var/lib/samba/brlock.tdb
/var/lib/samba/browse.dat
/var/lib/samba/connections.tdb
/var/lib/samba/gencache.tdb
/var/lib/samba/gencache_notrans.tdb
/var/lib/samba/locking.tdb
/var/lib/samba/login_cache.tdb
/var/lib/samba/messages.tdb
/var/lib/samba/namelist.debug
/var/lib/samba/netsamlogon_cache.tdb
/var/lib/samba/notify.tdb
/var/lib/samba/notify_onelevel.tdb
/var/lib/samba/printer_list.tdb
/var/lib/samba/printing
/var/lib/samba/private
/var/lib/samba/registry.tdb
/var/lib/samba/scripts
/var/lib/samba/serverid.tdb
/var/lib/samba/sessionid.tdb
/var/lib/samba/share_info.tdb
/var/lib/samba/winbindd_cache.tdb
/var/lib/samba/winbindd_privileged
/var/lib/samba/wins.dat
/var/lib/samba/wins.tdb
/var/lib/samba/printing/printers.tdb
/var/lib/samba/private/schannel_store.tdb
/var/lib/samba/private/secrets.tdb
/var/lib/samba/winbindd_privileged/pipe


:(

thanks for your help

[Robert Moskowitz]

On 09/18/2015 06:27 AM, mathias dufresne wrote:
> Ldapsearch filter are the same as those used by ldbsearch, at least for
> simple filters. That means you can use filters already given.

Yes they use openLDAP that is clear :)

But since I can't find their equivalent to sam.ldb, I am kind of stuck.

[L.P.H. van Belle]

Ow sorry,
didnt see this was and NT (samba3/ldap) domain..

Then you can use something simple like:

slapcat | grep ou=Computers

or something like
ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b YOURBASEDN 'cn=*'


Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: Robert Moskowitz [mailto:r...@htt-consult.com]
> Verzonden: vrijdag 18 september 2015 14:32
> Aan: L.P.H. van Belle; sa...@lists.samba.org

[Robert Moskowitz]

On 09/18/2015 08:54 AM, L.P.H. van Belle wrote:
> Ow sorry,
> didnt see this was and NT (samba3/ldap) domain..

Easy to have missed in all the stuff.

> Then you can use something simple like:
>
> slapcat | grep ou=Computers

# slapcat | grep ou=Computers
55fc0c03 The first database does not allow slapcat; using the first
available one (2)
reqDN: cn=NC4010$,ou=Computers,ou=Accounts,dc=home,dc=htt
reqDN: cn=MAVIS$,ou=Computers,ou=Accounts,dc=home,dc=htt

Those are the two active ones, and probably the only ones. Though I
wonder what happened to the Dell that I have not used for 1 year?

> or something like
> ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b YOURBASEDN 'cn=*'

# ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b YOURBASEDN 'cn=*'
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

I am probably suppose to put something like HOME in for YOURBASEDN? But
even when I do, I still get that error. slapd is running.

[L.P.H. van Belle]

Yeah, im doing to much again at the same time. ;-)

The ldapsearch ..
A "one liner"

ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b `cat /etc/samba//smb.conf | grep "ldap suffix" | cut -d"=" -f2,3,4,5` 'cn=*' | grep Computers

should work, well at least works here ;-)

[mathias dufresne]

YOURBASEDN should be replaced by 'DC=samba,DC=domain,DC=tld'. This was for
syntax only. You'll have to replace samba.domain.tld by your domain name.

[Robert Moskowitz]

On 09/18/2015 09:21 AM, L.P.H. van Belle wrote:
> Yeah, im doing to much again at the same time. ;-)
>
> The ldapsearch ..
> A "one liner"
>
> ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b `cat /etc/samba//smb.conf | grep "ldap suffix" | cut -d"=" -f2,3,4,5` 'cn=*' | grep Computers

NOt quite, but it seems there is an access problem. So I went into
their web front end and tried enabling all networks/anonymous access and
still a problem. Then I found a user guide of sorts at

https://www.clearos.com/resources/documentation/clearos/content:en_us:6_directory_server

which is telling me to try (as an example):

ldapsearch -h localhost -b "dc=clearos,dc=lan" \
-D "cn=manager,ou=internal,dc=clearos,dc=lan" \
-s sub "objectclass=GroupOfNames" -x -w gbGKD86gEWXLYNRm


to see all groups. Now to find the object class for computers.

[Robert Moskowitz]

If I am going to do the import of accounts, I have to access openLDAP
remotely and....

the following works:

ldapsearch -h localhost -b "dc=home,dc=htt" -D
"cn=manager,ou=internal,dc=home,dc=htt" -s sub
"objectclass=GroupOfNames" -x -w m.....

But

ldapsearch -h 192.168.128.2 -b "dc=home,dc=htt" -D
"cn=manager,ou=internal,dc=home,dc=htt" -s sub
"objectclass=GroupOfNames" -x -w m....

Does not with:

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

I stopped the firewall (service firewall stop) to ensure this was not a
firewall access issue.

They have their own directory services app it seems.

[Rowland Penny]

On 18/09/15 15:53, Robert Moskowitz wrote:
> If I am going to do the import of accounts, I have to access openLDAP
> remotely and....
>
> the following works:
>
> ldapsearch -h localhost -b "dc=home,dc=htt" -D
> "cn=manager,ou=internal,dc=home,dc=htt" -s sub
> "objectclass=GroupOfNames" -x -w m.....
>
> But
>
> ldapsearch -h 192.168.128.2 -b "dc=home,dc=htt" -D
> "cn=manager,ou=internal,dc=home,dc=htt" -s sub
> "objectclass=GroupOfNames" -x -w m....
>
> Does not with:
>
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>
> I stopped the firewall (service firewall stop) to ensure this was not
> a firewall access issue.
>

Try replacing '192.168.128.2' with 'ldap://hostname.domain.tld'

Rowland

[Robert Moskowitz]

On 09/18/2015 11:02 AM, Rowland Penny wrote:
> On 18/09/15 15:53, Robert Moskowitz wrote:
>> If I am going to do the import of accounts, I have to access openLDAP
>> remotely and....
>>
>> the following works:
>>
>> ldapsearch -h localhost -b "dc=home,dc=htt" -D
>> "cn=manager,ou=internal,dc=home,dc=htt" -s sub
>> "objectclass=GroupOfNames" -x -w m.....
>>
>> But
>>
>> ldapsearch -h 192.168.128.2 -b "dc=home,dc=htt" -D
>> "cn=manager,ou=internal,dc=home,dc=htt" -s sub
>> "objectclass=GroupOfNames" -x -w m....
>>
>> Does not with:
>>
>> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>>
>> I stopped the firewall (service firewall stop) to ensure this was not
>> a firewall access issue.
>>
>
> Try replacing '192.168.128.2' with 'ldap://hostname.domain.tld'

# ldapsearch -h ldap://homebase.home.htt -b "dc=home,dc=htt" -D

"cn=manager,ou=internal,dc=home,dc=htt" -s sub
"objectclass=GroupOfNames" -x -w m...

Could not create LDAP session handle for
URI=ldap://ldap:%2F%2Fhomebase.home.htt (-9): Bad parameter to an ldap
routine

Seems it adds the ldap:// automagically and:

# ldapsearch -h homebase.home.htt -b "dc=home,dc=htt" -D
"cn=manager,ou=internal,dc=home,dc=htt" -s sub
"objectclass=GroupOfNames" -x -w mxYEjFaB+7skgPxV

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Looks like it is off to the ClearOS forum.

[Rowland Penny]

On 18/09/15 16:15, Robert Moskowitz wrote:
> # ldapsearch -h homebase.home.htt -b "dc=home,dc=htt" -D
> "cn=manager,ou=internal,dc=home,dc=htt" -s sub
> "objectclass=GroupOfNames" -x -w mxYEjFaB+7skgPxV
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

OK, try this:

ldapsearch -H ldap://homebase.home.htt -b "dc=home,dc=htt" -s sub -D
"cn=manager,ou=internal,dc=home,dc=htt" "objectclass=GroupOfNames" -x -w
"mxYEjFaB+7skgPxV"

A similar search works against one of my AD DCs

Rowland

[Robert Moskowitz]

On 09/18/2015 11:34 AM, Rowland Penny wrote:
> On 18/09/15 16:15, Robert Moskowitz wrote:
>> # ldapsearch -h homebase.home.htt -b "dc=home,dc=htt" -D
>> "cn=manager,ou=internal,dc=home,dc=htt" -s sub

>> "objectclass=GroupOfNames" -x -w m...

>> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>
> OK, try this:
>
> ldapsearch -H ldap://homebase.home.htt -b "dc=home,dc=htt" -s sub -D
> "cn=manager,ou=internal,dc=home,dc=htt" "objectclass=GroupOfNames" -x

> -w "m..."

>
> A similar search works against one of my AD DCs

No dice. Took a bit to figure out how ClearOS forum works to ask a
question there. Will see what I learn there.

[Rowland Penny]

On 18/09/15 18:00, Robert Moskowitz wrote:
>
>
> On 09/18/2015 11:34 AM, Rowland Penny wrote:
>> On 18/09/15 16:15, Robert Moskowitz wrote:
>>> # ldapsearch -h homebase.home.htt -b "dc=home,dc=htt" -D
>>> "cn=manager,ou=internal,dc=home,dc=htt" -s sub
>>> "objectclass=GroupOfNames" -x -w m...
>>> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>>
>> OK, try this:
>>
>> ldapsearch -H ldap://homebase.home.htt -b "dc=home,dc=htt" -s sub -D
>> "cn=manager,ou=internal,dc=home,dc=htt" "objectclass=GroupOfNames" -x
>> -w "m..."
>>
>> A similar search works against one of my AD DCs
>
> No dice. Took a bit to figure out how ClearOS forum works to ask a
> question there. Will see what I learn there.
>
>
>

Hmm, I wonder if this is your problem, you posted earlier that the
ldap_user_dn was:

cn=manager,ou=Internal,dc=home,dc=htt

and you are using : "cn=manager,ou=internal,dc=home,dc=htt"

i.e. you are using a lowercase 'i' whereas the OU starts with an
uppercase 'I'

Rowland

[Robert Moskowitz]

On 09/18/2015 01:35 PM, Rowland Penny wrote:
> On 18/09/15 18:00, Robert Moskowitz wrote: >> >> >> On 09/18/2015 11:34 AM, Rowland Penny wrote: >>> On 18/09/15
16:15, Robert Moskowitz wrote: >>>> # ldapsearch -h homebase.home.htt -b
"dc=home,dc=htt" -D >>>> "cn=manager,ou=internal,dc=home,dc=htt" -s sub
>>>> "objectclass=GroupOfNames" -x -w m... ldap_sasl_bind(SIMPLE): >>>>
Can't contact LDAP server (-1) >>> >>> OK, try this: >>> >>> ldapsearch
-H ldap://homebase.home.htt -b "dc=home,dc=htt" -s sub >>> -D
"cn=manager,ou=internal,dc=home,dc=htt" >>> "objectclass=GroupOfNames"
-x -w "m..." >>> >>> A similar search works against one of my AD DCs >>
>> No dice. Took a bit to figure out how ClearOS forum works to ask a
>> question there. Will see what I learn there. >> >> >> > > Hmm, I
wonder if this is your problem, you posted earlier that the >
ldap_user_dn was: > > cn=manager,ou=Internal,dc=home,dc=htt > > and you
are using : "cn=manager,ou=internal,dc=home,dc=htt" > > i.e. you are
using a lowercase 'i' whereas the OU starts with an > uppercase 'I'

I noticed that too, but lowercase 'i' works to the loopback address as
does uppercase. Neither works to the server's IP address.

[Rowland Penny]

On 18/09/15 19:31, Robert Moskowitz wrote:

>
>
> On 09/18/2015 01:35 PM, Rowland Penny wrote:
>> On 18/09/15 18:00, Robert Moskowitz wrote:
>>>
>>>
>>> On 09/18/2015 11:34 AM, Rowland Penny wrote:
>>>> On 18/09/15 16:15, Robert Moskowitz wrote:
>>>>> # ldapsearch -h homebase.home.htt -b "dc=home,dc=htt" -D
>>>>> "cn=manager,ou=internal,dc=home,dc=htt" -s sub
>>>>> "objectclass=GroupOfNames" -x -w m...
>>>>> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>>>>
>>>> OK, try this:
>>>>
>>>> ldapsearch -H ldap://homebase.home.htt -b "dc=home,dc=htt" -s sub
>>>> -D "cn=manager,ou=internal,dc=home,dc=htt"
>>>> "objectclass=GroupOfNames" -x -w "m..."
>>>>
>>>> A similar search works against one of my AD DCs
>>>
>>> No dice. Took a bit to figure out how ClearOS forum works to ask a
>>> question there. Will see what I learn there.
>>>
>>>
>>>
>>
>> Hmm, I wonder if this is your problem, you posted earlier that the
>> ldap_user_dn was:
>>
>> cn=manager,ou=Internal,dc=home,dc=htt
>>
>> and you are using : "cn=manager,ou=internal,dc=home,dc=htt"
>>
>> i.e. you are using a lowercase 'i' whereas the OU starts with an
>> uppercase 'I'
>

> I was told that ClearOS is configured to use ldaps:// for network
> access; it only uses ldap for internal access.
>
> So instead of '-h localhost', I needed '-H ldaps://<ipaddr>' and it
> worked.
>
> So next step is to set up the files on the samba AD so that
> classicupdate will be able to access the ClearOS ldap....
>
>

Damn, I should have realised that, it is using port 636 instead of the
standard 389 port, anyway, at least you are moving forward.

[Robert Moskowitz]

On 09/18/2015 01:35 PM, Rowland Penny wrote:
> On 18/09/15 18:00, Robert Moskowitz wrote:
>>
>>
>> On 09/18/2015 11:34 AM, Rowland Penny wrote:
>>> On 18/09/15 16:15, Robert Moskowitz wrote:
>>>> # ldapsearch -h homebase.home.htt -b "dc=home,dc=htt" -D
>>>> "cn=manager,ou=internal,dc=home,dc=htt" -s sub
>>>> "objectclass=GroupOfNames" -x -w m...
>>>> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>>>
>>> OK, try this:
>>>
>>> ldapsearch -H ldap://homebase.home.htt -b "dc=home,dc=htt" -s sub -D
>>> "cn=manager,ou=internal,dc=home,dc=htt" "objectclass=GroupOfNames"
>>> -x -w "m..."
>>>
>>> A similar search works against one of my AD DCs
>>
>> No dice. Took a bit to figure out how ClearOS forum works to ask a
>> question there. Will see what I learn there.
>>
>>
>>
>
> Hmm, I wonder if this is your problem, you posted earlier that the
> ldap_user_dn was:
>
> cn=manager,ou=Internal,dc=home,dc=htt
>
> and you are using : "cn=manager,ou=internal,dc=home,dc=htt"
>
> i.e. you are using a lowercase 'i' whereas the OU starts with an
> uppercase 'I'

I was told that ClearOS is configured to use ldaps:// for network
access; it only uses ldap for internal access.

So instead of '-h localhost', I needed '-H ldaps://<ipaddr>' and it worked.

So next step is to set up the files on the samba AD so that
classicupdate will be able to access the ClearOS ldap....