[Samba] Samba4 and the nTSecurityDescriptor attribute
Rowland Penny
rowlandpenny at googlemail.com
Mon Jul 21 07:22:37 MDT 2014
Hi,
I Upgraded the samba4 schema with the sudo AD schema, added the required
sudo ldifs including the OU
dn: OU=SUDOers,DC=example,DC=com
objectClass: top
objectClass: organizationalUnit
ou: SUDOers
showInAdvancedViewOnly: TRUE
I then tried to get sssd to pull the sudo rules from AD, without
success. After posting over on the sssd list, it became apparent that
'Domain Computers' seemingly did not have the right to read the SUDOers
OU. Further investigation proved that this was not entirely correct,
'Domain Computers could read the OU, it just wasn't allowed to read
anything in the OU i.e. the sudo rules!
This brings me to the purpose of this post, Does anybody know how to
change the 'nTSecurityDescriptor' attribute of an OU with linux tools.
Can I just read the attribute, change it with sed and then write it
back, or do I need to do the required change with 'samba-tool dsacl set'
and if so how ? or is there some better way that I haven't thought off.
All I need to do is change '(A;;RPLCRC;;;DC)' to '(A;CI;RPLCRC;;;DC)'
Rowland
More information about the samba
mailing list