Project

General

Profile

Tâche #32953

Scénario #32254: Étudier la possibilté de renommer le poste client en plus de la clé Salt

autoriser eole-workstation-manager a renommer un PC

Added by Gilles Grandgérard 2 months ago. Updated 14 days ago.

Status:
En cours
Priority:
Normal
Assigned To:
-
Start date:
07/16/2021
Due date:
% Done:

0%

Remaining (hours):

Description

Sur un PC connecté en pcadmin, Si on utilise le compte du domaine 'eole-workstation-manager' pour vouloir renommer le PC, un problème de droits apparait

Si on utilise le compte admin, cela fonctionne normalement.

Donc, il manque un droit sur le compte 'eole-workstation-manager'

Cf. : image écran

Capture d’écran du 2021-07-16 10-23-05.png View (217 KB) Gilles Grandgérard, 07/16/2021 10:23 AM

History

#1 Updated by Gilles Grandgérard 2 months ago

tentative de renommage de PC-609788B$ en PC-609788C$
notez que l'objet AD n'est pas modifié
notez que seul l'attribut 'samAccountName' est modifié

==> log.samba <==
[2021/07/16 10:30:00.695557,  4] ../../auth/auth_log.c:753(log_successful_authz_event_human_readable)
  Successful AuthZ: [DCE/RPC,ncacn_np] user [DOMPEDAGO]\[eole-workstation-manager] [S-1-5-21-156656394-1840216754-3105095414-1110] at [Fri, 16 Jul 2021 10:30:00.695534 CEST] Remote host [ipv4:10.1.2.50:50985] local host [ipv4:10.1.3.11:445]
  {"timestamp": "2021-07-16T10:30:00.695620+0200", "type": "Authorization", "Authorization": {"version": {"major": 1, "minor": 1}, "localAddress": "ipv4:10.1.3.11:445", "remoteAddress": "ipv4:10.1.2.50:50985", "serviceDescription": "DCE/RPC", "authType": "ncacn_np", "domain": "DOMPEDAGO", "account": "eole-workstation-manager", "sid": "S-1-5-21-156656394-1840216754-3105095414-1110", "sessionId": "ed715813-c7c9-40c2-951c-6fe389713778", "logonServer": "ADDC", "transportProtection": "SMB", "accountFlags": "0x00000210"}}

[2021/07/16 10:30:00.698995,  3] ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
  ldb_wrap open of privilege.ldb

[2021/07/16 10:30:00.702271,  3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
  stream_terminate_connection: Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'

[2021/07/16 10:30:00.704652,  4] ../../auth/auth_log.c:753(log_successful_authz_event_human_readable)
  Successful AuthZ: [DCE/RPC,ncacn_np] user [DOMPEDAGO]\[eole-workstation-manager] [S-1-5-21-156656394-1840216754-3105095414-1110] at [Fri, 16 Jul 2021 10:30:00.704637 CEST] Remote host [ipv4:10.1.2.50:50985] local host [ipv4:10.1.3.11:445]
  {"timestamp": "2021-07-16T10:30:00.704710+0200", "type": "Authorization", "Authorization": {"version": {"major": 1, "minor": 1}, "localAddress": "ipv4:10.1.3.11:445", "remoteAddress": "ipv4:10.1.2.50:50985", "serviceDescription": "DCE/RPC", "authType": "ncacn_np", "domain": "DOMPEDAGO", "account": "eole-workstation-manager", "sid": "S-1-5-21-156656394-1840216754-3105095414-1110", "sessionId": "ed715813-c7c9-40c2-951c-6fe389713778", "logonServer": "ADDC", "transportProtection": "SMB", "accountFlags": "0x00000210"}}

[2021/07/16 10:30:00.714463,  5] ../../lib/audit_logging/audit_logging.c:95(audit_log_human_text)
  DSDB Change [Modify] at [Fri, 16 Jul 2021 10:30:00.714421 CEST] status [insufficient access rights] remote host [ipv4:10.1.2.50:50985] SID [S-1-5-21-156656394-1840216754-3105095414-1110] DN [CN=PC-609788,OU=Ordinateurs du Domaine,DC=dompedago,DC=etb1,DC=lan] attributes 
[replace: samAccountName [PC-609788C$]]
  {"timestamp": "2021-07-16T10:30:00.714516+0200", "type": "dsdbChange", "dsdbChange": {"version": {"major": 1, "minor": 0}, "statusCode": 50, "status": "insufficient access rights", "operation": "Modify", "remoteAddress": "ipv4:10.1.2.50:50985", "performedAsSystem": false, "userSid": "S-1-5-21-156656394-1840216754-3105095414-1110", "dn": "CN=PC-609788,OU=Ordinateurs du Domaine,DC=dompedago,DC=etb1,DC=lan", "transactionId": "22a18d08-bcfa-4311-b6f2-39524506d7b4", "sessionId": "ed715813-c7c9-40c2-951c-6fe389713778", "attributes": {"samAccountName": {"actions": [{"action": "replace", "values": [{"value": "PC-609788C$"}]}]}}}}

[2021/07/16 10:30:00.714565,  5] ../../lib/audit_logging/audit_logging.c:95(audit_log_human_text)
  DSDB Transaction [rollback] at [Fri, 16 Jul 2021 10:30:00.714558 CEST] duration [1432]
  {"timestamp": "2021-07-16T10:30:00.714579+0200", "type": "dsdbTransaction", "dsdbTransaction": {"version": {"major": 1, "minor": 0}, "action": "rollback", "transactionId": "22a18d08-bcfa-4311-b6f2-39524506d7b4", "duration": 1432}}

[2021/07/16 10:30:00.714636,  1] ../../source4/rpc_server/samr/dcesrv_samr.c:3971(dcesrv_samr_SetUserInfo)
  Failed to modify record CN=PC-609788,OU=Ordinateurs du Domaine,DC=dompedago,DC=etb1,DC=lan: Object CN=PC-609788, *OU=Ordinateurs du Domaine,DC=dompedago,DC=etb1,DC=lan has no write property access*

[2021/07/16 10:30:00.717321,  3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
  stream_terminate_connection: Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'

#3 Updated by Gilles Grandgérard 2 months ago

Suite https://dev-eole.ac-dijon.fr/projects/eole-workstation/repository/revisions/2c6cc0ec5935e5ddeea90e6ffec0562c0bcb54ac/diff/postservice/30-eole-workstation-manager

Manip extraction :
sur le ADDC :
SID_ADMIN="$(wbinfo --name-to-sid admin |awk '{print $1;}')"
SID_EOLE_WORKSTATION_MANAGER="$(wbinfo --name-to-sid eole-workstation-manager |awk '{print $1;}')"
samba-tool dsacl get | sed -e "s/$SID_ADMIN/admin/g" | sed -e "s/$SID_EOLE_WORKSTATION_MANAGER/eole-workstation-manager/g" | sed -e 's/)(/)\n(/g' >/tmp/dsacl_all
samba-tool dsacl get --objectdn="CN=Computers,DC=dompedago,DC=etb1,DC=lan" | sed -e "s/$SID_ADMIN/admin/g" | sed -e "s/$SID_EOLE_WORKSTATION_MANAGER/eole-workstation-manager/g" | sed -e 's/)(/)\n(/g' >/tmp/dsacl_Computers
samba-tool dsacl get --objectdn="CN=Users,DC=dompedago,DC=etb1,DC=lan" | sed -e "s/$SID_ADMIN/admin/g" | sed -e "s/$SID_EOLE_WORKSTATION_MANAGER/eole-workstation-manager/g" | sed -e 's/)(/)\n(/g' >/tmp/dsacl_Users
samba-tool dsacl get --objectdn="OU=Ordinateurs du Domaine,DC=dompedago,DC=etb1,DC=lan" | sed -e "s/$SID_ADMIN/admin/g" | sed -e "s/$SID_EOLE_WORKSTATION_MANAGER/eole-workstation-manager/g" | sed -e 's/)(/)\n(/g' >/tmp/dsacl_Ordinateurs_du_Domaine
samba-tool dsacl get --objectdn="OU=Utilisateurs du Domaine,DC=dompedago,DC=etb1,DC=lan" | sed -e "s/$SID_ADMIN/admin/g" | sed -e "s/$SID_EOLE_WORKSTATION_MANAGER/eole-workstation-manager/g" | sed -e 's/)(/)\n(/g' >/tmp/dsacl_Utilisateurs_du_Domaine

sur le Scribe:
. getVMContext.sh
cp -f /var/lib/lxc/addc/rootfs/tmp/dsacl_* /mnt/eole-ci-tests/output/$VM_OWNER/

sur le PC developpeur:
meld /mnt/eole-ci-tests/output/$VM_OWNER/dsacl_*

Donne sans/avec:
diff /mnt/eole-ci-tests/output/ggrandgerard/dsacl_Utilisateurs_du_Domaine /mnt/eole-ci-tests/output/ggrandgerard/dsacl_Ordinateurs_du_Domaine

1,2c1,12
< descriptor for OU=Utilisateurs du Domaine,DC=dompedago,DC=etb1,DC=lan:
< O:DAG:DAD:AI(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
---
> descriptor for OU=Ordinateurs du Domaine,DC=dompedago,DC=etb1,DC=lan:
> O:DAG:DAD:ARAI(OA;CI;CCDC;bf967a86-0de6-11d0-a285-00aa003049e2;;admin)
> (OA;CIIO;SW;72e39547-7b18-11d1-adef-00c04fd8d5cd;bf967a86-0de6-11d0-a285-00aa003049e2;admin)
> (OA;CIIO;CR;00299570-246d-11d0-a768-00aa006e0529;bf967a86-0de6-11d0-a285-00aa003049e2;admin)
> (OA;CIIO;RPWP;4c164200-20c0-11d0-a768-00aa006e0529;bf967a86-0de6-11d0-a285-00aa003049e2;admin)
> (OA;CIIO;SW;f3a64788-5306-11d1-a9c5-0000f80367c1;bf967a86-0de6-11d0-a285-00aa003049e2;admin)
> (OA;CI;CCDC;bf967a86-0de6-11d0-a285-00aa003049e2;;eole-workstation-manager)
> (OA;CIIO;SW;72e39547-7b18-11d1-adef-00c04fd8d5cd;bf967a86-0de6-11d0-a285-00aa003049e2;eole-workstation-manager)
> (OA;CIIO;CR;00299570-246d-11d0-a768-00aa006e0529;bf967a86-0de6-11d0-a285-00aa003049e2;eole-workstation-manager)
> (OA;CIIO;RPWP;4c164200-20c0-11d0-a768-00aa006e0529;bf967a86-0de6-11d0-a285-00aa003049e2;eole-workstation-manager)
> (OA;CIIO;SW;f3a64788-5306-11d1-a9c5-0000f80367c1;bf967a86-0de6-11d0-a285-00aa003049e2;eole-workstation-manager)
> (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)

Vérifiction GUIDs:

DDC790AC-AF4D-442A-8F0F-A1D4CAA7DD92 -> APPLICATION_VERSION cf.: https://docs.microsoft.com/fr-fr/windows/win32/adschema/c-applicationversion
bf967a86-0de6-11d0-a285-00aa003049e2 -> COMPUTER_OBJECT cf.: https://docs.microsoft.com/fr-fr/windows/win32/adschema/c-computer
f3a64788-5306-11d1-a9c5-0000f80367c1 -> "Validated-SPN" cf.: https://docs.microsoft.com/fr-fr/windows/win32/adschema/r-validated-spn
72e39547-7b18-11d1-adef-00c04fd8d5cd -> "Valid-DNS-Host-Name" cf.: https://docs.microsoft.com/fr-fr/windows/win32/adschema/r-validated-dns-host-name
00299570-246d-11d0-a768-00aa006e0529 -> "User-Force-Change-Password" cf.: https://docs.microsoft.com/en-us/windows/win32/adschema/r-user-force-change-password
4c164200-20c0-11d0-a768-00aa006e0529 -> "User-Account-Restrictions" cf.: https://docs.microsoft.com/en-us/windows/win32/adschema/r-user-account-restrictions

Donc il faut :

COMPUTER_OBJECT="{BF967A86-0DE6-11D0-A285-00AA003049E2}" 
APPLICATION_VERSION="{DDC790AC-AF4D-442A-8F0F-A1D4CAA7DD92}" 
USER_FORCE_CHANGE_PASSWORD="00299570-246d-11d0-a768-00aa006e0529" 
USER_ACCOUNT_RESTRICTIONS="4c164200-20c0-11d0-a768-00aa006e0529" 
ECRITURE_VALIDEE_DNS_HOST_NAME="72e39547-7b18-11d1-adef-00c04fd8d5cd" 
ECRITURE_VALIDEE_SPN="f3a64788-5306-11d1-a9c5-0000f80367c1" 
SDDL="ARAI(OA;CI;CC;${COMPUTER_OBJECT};;${SID_ACCOUNT_JONCTION})(OA;CIIO;CC;${APPLICATION_VERSION};${COMPUTER_OBJECT};${SID_ACCOUNT_JONCTION})(OA;CIIO;CC;;${COMPUTER_OBJECT};${SID_ACCOUNT_JONCTION})(OA;CIIO;SW;${ECRITURE_VALIDEE_DNS_HOST_NAME};${COMPUTER_OBJECT};${SID_ACCOUNT_JONCTION})(OA;CIIO;CR;${USER_FORCE_CHANGE_PASSWORD};${COMPUTER_OBJECT};${SID_ACCOUNT_JONCTION})(OA;CIIO;RPWP;${USER_ACCOUNT_RESTRICTIONS};${COMPUTER_OBJECT};${SID_ACCOUNT_JONCTION})(OA;CIIO;SW;${ECRITURE_VALIDEE_SPN};${COMPUTER_OBJECT};${SID_ACCOUNT_JONCTION})" 

#4 Updated by Gilles Grandgérard 2 months ago

  • Status changed from Nouveau to En cours

Also available in: Atom PDF