[Samba] LDAP permissions - ldbedit/ldapmodify?

Jonathan Hunter jmhunter1 at gmail.com
Mon Jan 4 01:43:04 UTC 2016


A while ago I successfully set permissions on a section of my LDAP / AD
tree, using either ADUC or ADSIEDIT (I forget which). These permissions
allowed my own user to access this section of the tree; I removed
permissions for 'Domain Admins' etc. to ensure that others would not be
able to view or change the data - this has worked great for many months.

I have just tried to add a new entry to this section of the tree, but I
appear to have locked myself out somehow. I don't know if this is because I
recently made some idmap changes and therefore my UID has changed, or for
some other reason - so I am asking on here to find out where the LDAP
permissions are stored. Hopefully I can reset the permissions and regain

I can view the data using ldbsearch when logged in as root on the DC itself
- but how do I view the permissions and edit them from the commandline? The
data is all present and correct:

mydc1# ldbsearch -H /usr/local/samba/private/sam.ldb -s sub -b
# returned 127 records
# 127 entries
# 0 referrals

Even logging in as MYDOMAIN\Administrator I can't view or change the
permissions of ou=mysecretou using ADUC/ADSIEdit (This is exactly as I
originally set it). So, how can I change the permissions from the
commandline? Do I use ldbedit on a with different parameters, or on a
separate ldb file? Is there a "ldapmodify" command I can run - this would
presumably work better, as any changes would then be replicated to other
DCs as well.



"If we knew what it was we were doing, it would not be called research,
would it?"
      - Albert Einstein

More information about the samba mailing list