ldap object access controls

Denis Cardon dcardon at tranquil.it
Fri May 4 12:26:47 UTC 2018

Hi William,

> I'm currently trying to understand the samba4/ad ldap object access
> control for search and how to manipulate these.
> Looking at various objects I can't seem to see where AD is storing the
> ACE entries, even though you can "edit" them via ADSI and the like.
> What attribute of the object are the ACE attributes stored in and how
> can I modify these via the ldap interface? Any documentation or
> references about this topic would be excellent,

I don't think it is advisable to directly edit the ntSecurityDescriptor 
attributes. If you don't mind using some python, you can get some 
inspiration from Andrew's mitigation script for CVE-2018-1057 mitigation 
[1]. I used it as a basis for implementing some ACL handling at clients 



[1] https://download.samba.org/pub/samba/misc/samba_CVE-2018-1057_helper

> Thank you!

Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint SĂ©bastien sur Loire
tel : +33 (0)

Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr

More information about the samba-technical mailing list