How to change objectSid from LDAP

Matthias Dieter Wallnöfer mdw at samba.org
Sat Feb 8 13:54:31 MST 2014


Hi Diego,

according to samldb.c (under source4/dsdb/samdb/ldb_modules) you can see that the PROVISION control is needed.
2374         /* make sure that "objectSid" is not specified */
2375         el = ldb_msg_find_element(req->op.mod.message, "objectSid");
2376         if (el != NULL) {
2377                 if (ldb_request_get_control(req, LDB_CONTROL_PROVISION_OID) == NULL) {
2378                         ldb_set_errstring(ldb,
2379                                           "samldb: objectSid must not be specified!");
2380                         return LDB_ERR_UNWILLING_TO_PERFORM;
2381                 }
2382         }

I notice that you are passing it in your request, but it is useless if you are using LDAP (for security reasons this control is silently dropped). Hence you need to operate locally on server's AD DB file with "root" privileges. We do have some demonstration code (look at python/samba) or otherwise use the LDB tools (ldbmodify, ldbedit) with the -H /usr/local/samba/private/sam.ldb parameter.

But be careful with such on MS-AD unsupported operations, they could break replication ecc.


Regards,
Matthias Wallnöfer




Diego Woitasen <diego at woitasen.com.ar> schrieb am 1:55 Mittwoch, 5.Februar 2014:
Hi,
I'm trying to modify the objectSid of a group using python-ldap. I've
found that I need a server control to do it but doesn't work. The code
that I'm using:

        modlist = [ (ldap.MOD_REPLACE, 'objectSid', s3sid_packed) ]
        LDB_CONTROL_PROVISION_OID = "1.3.6.1.4.1.7165.4.3.16"
        LDB_CONTROL_RELAX_OID = "1.3.6.1.4.1.4203.666.5.12"
        controls = [ LDAPControl(LDB_CONTROL_PROVISION_OID, criticality=0),
                LDAPControl(LDB_CONTROL_RELAX_OID, criticality=0) ]
        s4ldap.modify_ext_s(s4dn, modlist, serverctrls=controls,
            clientctrls=controls)

I'm using the domain administrator to bind to the server.

The error that I get:

ldap.UNWILLING_TO_PERFORM: {'info': '00002035: samldb: objectSid must
not be specified!', 'desc': 'Server is unwilling to perform'}

Is there a way to do it? I know that it is not something to be done
usually, but trust me, I need it :)

Regards,
  Diego

-- 
Diego Woitasen
Linux and Open Source solutions architect at www.vhgroup.net



More information about the samba-technical mailing list