[Samba] How to change objectSid?
Andrew Bartlett
abartlet at samba.org
Tue Feb 4 18:06:51 MST 2014
On Tue, 2014-02-04 at 20:50 -0300, Diego Woitasen wrote:
> Hi,
> I'm trying to modify the objectSid of a group using python-ldap. I've
> found that I need a server control to do it but doesn't work. The code
> that I'm using:
>
> modlist = [ (ldap.MOD_REPLACE, 'objectSid', s3sid_packed) ]
> LDB_CONTROL_PROVISION_OID = "1.3.6.1.4.1.7165.4.3.16"
> LDB_CONTROL_RELAX_OID = "1.3.6.1.4.1.4203.666.5.12"
> controls = [ LDAPControl(LDB_CONTROL_PROVISION_OID, criticality=0),
> LDAPControl(LDB_CONTROL_RELAX_OID, criticality=0) ]
> s4ldap.modify_ext_s(s4dn, modlist, serverctrls=controls,
> clientctrls=controls)
>
> I'm using the domain administrator to bind to the server.
>
> The error that I get:
>
> ldap.UNWILLING_TO_PERFORM: {'info': '00002035: samldb: objectSid must
> not be specified!', 'desc': 'Server is unwilling to perform'}
>
> Is there a way to do it? I know that it is not something to be done
> usually, but trust me, I need it :)
You can't do this over LDAP, you would have to use our ldb bindings and
do it directly on the sam.ldb. We don't allow these controls over the
LDAP connection, because of the dangerous things they can do.
You must also ensure you have adjusted your RID allocation pools to
ensure this RID is never allocated by Samba.
Finally, if you could detail a little more than 'trust me', I might be
able to help you find a different way to solve the problem, or at least
understand how we could help our users better deal with these kinds of
difficult situations.
Thanks,
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list