[Samba] Samba4 and the nTSecurityDescriptor attribute

Rowland Penny rowlandpenny at googlemail.com
Mon Jul 21 07:22:37 MDT 2014


I Upgraded the samba4 schema with the sudo AD schema, added the required 
sudo ldifs including the OU

dn: OU=SUDOers,DC=example,DC=com
objectClass: top
objectClass: organizationalUnit
ou: SUDOers
showInAdvancedViewOnly: TRUE

I then tried to get sssd to pull the sudo rules from AD, without 
success. After posting over on the sssd list, it became apparent that 
'Domain Computers' seemingly did not have the right to read the SUDOers 
OU. Further investigation proved that this was not entirely correct, 
'Domain Computers could read the OU, it just wasn't allowed to read 
anything in the OU i.e. the sudo rules!

This brings me to the purpose of this post, Does anybody know how to 
change the 'nTSecurityDescriptor' attribute of an OU with linux tools. 
Can I just read the attribute, change it with sed and then write it 
back, or do I need to do the required change with 'samba-tool dsacl set' 
and if so how ? or is there some better way that I haven't thought off.

All I need to do is change '(A;;RPLCRC;;;DC)' to '(A;CI;RPLCRC;;;DC)'


More information about the samba mailing list