[Samba] LDAP permissions - ldbedit/ldapmodify?
Jonathan Hunter
jmhunter1 at gmail.com
Mon Jan 4 01:43:04 UTC 2016
Hi,
A while ago I successfully set permissions on a section of my LDAP / AD
tree, using either ADUC or ADSIEDIT (I forget which). These permissions
allowed my own user to access this section of the tree; I removed
permissions for 'Domain Admins' etc. to ensure that others would not be
able to view or change the data - this has worked great for many months.
I have just tried to add a new entry to this section of the tree, but I
appear to have locked myself out somehow. I don't know if this is because I
recently made some idmap changes and therefore my UID has changed, or for
some other reason - so I am asking on here to find out where the LDAP
permissions are stored. Hopefully I can reset the permissions and regain
access.
I can view the data using ldbsearch when logged in as root on the DC itself
- but how do I view the permissions and edit them from the commandline? The
data is all present and correct:
mydc1# ldbsearch -H /usr/local/samba/private/sam.ldb -s sub -b
ou=mysecretou,dc=mydomain,dc=org,dc=uk
[...]
# returned 127 records
# 127 entries
# 0 referrals
Even logging in as MYDOMAIN\Administrator I can't view or change the
permissions of ou=mysecretou using ADUC/ADSIEdit (This is exactly as I
originally set it). So, how can I change the permissions from the
commandline? Do I use ldbedit on a with different parameters, or on a
separate ldb file? Is there a "ldapmodify" command I can run - this would
presumably work better, as any changes would then be replicated to other
DCs as well.
Thanks!
Jonathan
--
"If we knew what it was we were doing, it would not be called research,
would it?"
- Albert Einstein
More information about the samba
mailing list