mirror of
https://github.com/samba-team/samba.git
synced 2024-12-24 21:34:56 +03:00
04564f690f
Sharpe.
Users my run this script after they have vampired a windows domain
controller to verify their system has no double sids, double uids, etc.
Guenther
(This used to be commit 31bd709a41
)
202 lines
4.7 KiB
Perl
Executable File
202 lines
4.7 KiB
Perl
Executable File
#!/usr/bin/perl -w
|
|
# Guenther Deschner <gd@samba.org>
|
|
#
|
|
# check for multiple LDAP entries
|
|
|
|
use strict;
|
|
|
|
use Net::LDAP;
|
|
use Getopt::Std;
|
|
|
|
my %opts;
|
|
|
|
if (!@ARGV) {
|
|
print "usage: $0 -h host -b base -D admindn -w password [-l]\n";
|
|
print "\tperforms checks for multiple sid, uid and gid-entries on your LDAP server\n";
|
|
print "\t-l adds additional checks against the local /etc/passwd and /etc/group file\n";
|
|
exit 1;
|
|
}
|
|
|
|
getopts('b:h:D:w:l', \%opts);
|
|
|
|
my $host = $opts{h} || "localhost";
|
|
my $suffix = $opts{b} || die "please set base with -b";
|
|
my $binddn = $opts{D} || die "please set basedn with -D";
|
|
my $bindpw = $opts{w} || die "please set password with -w";
|
|
my $check_local_files = $opts{l} || 0;
|
|
|
|
########################
|
|
|
|
|
|
my ($ldap, $res);
|
|
my (%passwd_h, %group_h);
|
|
my $bad_uids = 0;
|
|
my $bad_gids = 0;
|
|
my $bad_sids = 0;
|
|
my $ret = 0;
|
|
|
|
if ($check_local_files) {
|
|
my @uids = `cut -d ':' -f 3 /etc/passwd`;
|
|
my @gids = `cut -d ':' -f 3 /etc/group`;
|
|
|
|
foreach my $uid (@uids) {
|
|
chomp($uid);
|
|
$passwd_h{$uid} = $uid;
|
|
}
|
|
|
|
foreach my $gid (@gids) {
|
|
chomp($gid);
|
|
$group_h{$gid} = $gid;
|
|
}
|
|
}
|
|
|
|
########
|
|
# bind #
|
|
########
|
|
|
|
$ldap = Net::LDAP->new($host, version => '3');
|
|
|
|
$res = $ldap->bind( $binddn, password => $bindpw);
|
|
$res->code && die "failed to bind: ", $res->error;
|
|
|
|
|
|
|
|
###########################
|
|
# check for double sids #
|
|
###########################
|
|
|
|
print "\ntesting for multiple sambaSids\n";
|
|
|
|
$res = $ldap->search(
|
|
base => $suffix,
|
|
filter => "(objectclass=sambaSamAccount)");
|
|
|
|
$res->code && die "failed to search: ", $res->error;
|
|
|
|
foreach my $entry ($res->all_entries) {
|
|
|
|
my $sid = $entry->get_value('sambaSid');
|
|
|
|
my $local_res = $ldap->search(
|
|
base => $suffix,
|
|
filter => "(&(objectclass=sambaSamAccount)(sambaSid=$sid))");
|
|
|
|
$local_res->code && die "failed to search: ", $local_res->error;
|
|
if ($local_res->count > 1) {
|
|
print "A SambaSamAccount with sambaSid [$sid] must exactly exist once\n";
|
|
print "You have ", $local_res->count, " entries:\n";
|
|
foreach my $loc_entry ($local_res->all_entries) {
|
|
printf "\t%s\n", $loc_entry->dn;
|
|
}
|
|
++$bad_sids;
|
|
}
|
|
}
|
|
|
|
if ($bad_sids) {
|
|
$ret = -1;
|
|
print "You have $bad_sids bad sambaSids in your system. You might need to repair them\n";
|
|
} else {
|
|
print "No multiple sambaSids found in your system\n";
|
|
}
|
|
|
|
print "-" x 80, "\n";
|
|
|
|
###########################
|
|
# check for double groups #
|
|
###########################
|
|
|
|
print "\ntesting for multiple gidNumbers\n";
|
|
|
|
$res = $ldap->search(
|
|
base => $suffix,
|
|
filter => "(objectclass=posixGroup)");
|
|
|
|
$res->code && die "failed to search: ", $res->error;
|
|
|
|
foreach my $entry ($res->all_entries) {
|
|
|
|
my $gid = $entry->get_value('gidNumber');
|
|
my $dn = $entry->dn;
|
|
|
|
my $local_res = $ldap->search(
|
|
base => $suffix,
|
|
filter => "(&(objectclass=posixGroup)(gidNumber=$gid))");
|
|
|
|
$local_res->code && die "failed to search: ", $local_res->error;
|
|
if ($local_res->count > 1) {
|
|
print "A PosixGroup with gidNumber [$gid] must exactly exist once\n";
|
|
print "You have ", $local_res->count, " entries:\n";
|
|
foreach my $loc_entry ($local_res->all_entries) {
|
|
printf "\t%s\n", $loc_entry->dn;
|
|
}
|
|
++$bad_gids;
|
|
next;
|
|
}
|
|
|
|
if ($check_local_files && exists $group_h{$gid}) {
|
|
print "Warning: There is a group in /etc/group that has gidNumber [$gid] as well\n";
|
|
print "This entry may conflict with $dn\n";
|
|
++$bad_gids;
|
|
}
|
|
}
|
|
|
|
if ($bad_gids) {
|
|
$ret = -1;
|
|
print "You have $bad_gids bad gidNumbers in your system. You might need to repair them\n";
|
|
} else {
|
|
print "No multiple gidNumbers found in your system\n";
|
|
}
|
|
|
|
print "-" x 80, "\n";
|
|
|
|
|
|
###########################
|
|
# check for double users #
|
|
###########################
|
|
|
|
print "\ntesting for multiple uidNumbers\n";
|
|
|
|
$res = $ldap->search(
|
|
base => $suffix,
|
|
filter => "(objectclass=posixAccount)");
|
|
|
|
$res->code && die "failed to search: ", $res->error;
|
|
|
|
|
|
foreach my $entry ($res->all_entries) {
|
|
|
|
my $uid = $entry->get_value('uidNumber');
|
|
my $dn = $entry->dn;
|
|
|
|
my $local_res = $ldap->search(
|
|
base => $suffix,
|
|
filter => "(&(objectclass=posixAccount)(uidNumber=$uid))");
|
|
|
|
$local_res->code && die "failed to search: ", $local_res->error;
|
|
if ($local_res->count > 1) {
|
|
print "A PosixAccount with uidNumber [$uid] must exactly exist once\n";
|
|
print "You have ", $local_res->count, " entries:\n";
|
|
foreach my $loc_entry ($local_res->all_entries) {
|
|
printf "\t%s\n", $loc_entry->dn;
|
|
}
|
|
++$bad_uids;
|
|
next;
|
|
}
|
|
if ($check_local_files && exists $passwd_h{$uid}) {
|
|
print "Warning: There is a user in /etc/passwd that has uidNumber [$uid] as well\n";
|
|
print "This entry may conflict with $dn\n";
|
|
++$bad_uids;
|
|
}
|
|
}
|
|
|
|
if ($bad_uids) {
|
|
$ret = -1;
|
|
print "You have $bad_uids bad uidNumbers in your system. You might need to repair them\n";
|
|
} else {
|
|
print "No multiple uidNumbers found in your system\n";
|
|
}
|
|
|
|
$ldap->unbind;
|
|
|
|
exit $ret;
|