How to change objectSid from LDAP

Diego Woitasen diego at woitasen.com.ar
Sat Feb 8 19:48:27 MST 2014 

On Sat, Feb 8, 2014 at 5:54 PM, Matthias Dieter Wallnöfer <mdw at samba.org> wrote:
> Hi Diego,
>
> according to samldb.c (under source4/dsdb/samdb/ldb_modules) you can see that the PROVISION control is needed.
> 2374         /* make sure that "objectSid" is not specified */
> 2375         el = ldb_msg_find_element(req->op.mod.message, "objectSid");
> 2376         if (el != NULL) {
> 2377                 if (ldb_request_get_control(req, LDB_CONTROL_PROVISION_OID) == NULL) {
> 2378                         ldb_set_errstring(ldb,
> 2379                                           "samldb: objectSid must not be specified!");
> 2380                         return LDB_ERR_UNWILLING_TO_PERFORM;
> 2381                 }
> 2382         }
>
> I notice that you are passing it in your request, but it is useless if you are using LDAP (for security reasons this control is silently dropped). Hence you need to operate locally on server's AD DB file with "root" privileges. We do have some demonstration code (look at python/samba) or otherwise use the LDB tools (ldbmodify, ldbedit) with the -H /usr/local/samba/private/sam.ldb parameter.
>
> But be careful with such on MS-AD unsupported operations, they could break replication ecc.

Hi Matthias,
   Yes, I desisted to do this. I wanted to inject SIDs because I'm in
the transicion of migrating from Samba3 to Samba4. I wanted to sync
Samba4 users created in Samba3, but I'm going to move the user CRUD to
Samba4 and I'll do the sync to Samba3. I don't like the idea of
touching the S4 DB.

Regards,
  Diego

>
>
> Regards,
> Matthias Wallnöfer
>
>
>
>
> Diego Woitasen <diego at woitasen.com.ar> schrieb am 1:55 Mittwoch, 5.Februar 2014:
> Hi,
> I'm trying to modify the objectSid of a group using python-ldap. I've
> found that I need a server control to do it but doesn't work. The code
> that I'm using:
>
>         modlist = [ (ldap.MOD_REPLACE, 'objectSid', s3sid_packed) ]
>         LDB_CONTROL_PROVISION_OID = "1.3.6.1.4.1.7165.4.3.16"
>         LDB_CONTROL_RELAX_OID = "1.3.6.1.4.1.4203.666.5.12"
>         controls = [ LDAPControl(LDB_CONTROL_PROVISION_OID, criticality=0),
>                 LDAPControl(LDB_CONTROL_RELAX_OID, criticality=0) ]
>         s4ldap.modify_ext_s(s4dn, modlist, serverctrls=controls,
>             clientctrls=controls)
>
> I'm using the domain administrator to bind to the server.
>
> The error that I get:
>
> ldap.UNWILLING_TO_PERFORM: {'info': '00002035: samldb: objectSid must
> not be specified!', 'desc': 'Server is unwilling to perform'}
>
> Is there a way to do it? I know that it is not something to be done
> usually, but trust me, I need it :)
>
> Regards,
>   Diego
>
> --
> Diego Woitasen
> Linux and Open Source solutions architect at www.vhgroup.net
>



-- 
Diego Woitasen
Linux and Open Source solutions architect at www.vhgroup.net

More information about the samba-technical mailing list