[Samba] LDAP permissions - ldbedit/ldapmodify?

Rowland penny rpenny at samba.org
Mon Jan 4 10:36:26 UTC 2016 

On 04/01/16 01:43, Jonathan Hunter wrote:
> Hi,
>
> A while ago I successfully set permissions on a section of my LDAP / AD
> tree, using either ADUC or ADSIEDIT (I forget which). These permissions
> allowed my own user to access this section of the tree; I removed
> permissions for 'Domain Admins' etc. to ensure that others would not be
> able to view or change the data - this has worked great for many months.
>
> I have just tried to add a new entry to this section of the tree, but I
> appear to have locked myself out somehow. I don't know if this is because I
> recently made some idmap changes and therefore my UID has changed, or for
> some other reason - so I am asking on here to find out where the LDAP
> permissions are stored. Hopefully I can reset the permissions and regain
> access.
>
> I can view the data using ldbsearch when logged in as root on the DC itself
> - but how do I view the permissions and edit them from the commandline? The
> data is all present and correct:
>
> mydc1# ldbsearch -H /usr/local/samba/private/sam.ldb -s sub -b
> ou=mysecretou,dc=mydomain,dc=org,dc=uk
> [...]
> # returned 127 records
> # 127 entries
> # 0 referrals
>
> Even logging in as MYDOMAIN\Administrator I can't view or change the
> permissions of ou=mysecretou using ADUC/ADSIEdit (This is exactly as I
> originally set it). So, how can I change the permissions from the
> commandline? Do I use ldbedit on a with different parameters, or on a
> separate ldb file? Is there a "ldapmodify" command I can run - this would
> presumably work better, as any changes would then be replicated to other
> DCs as well.
>
> Thanks!
>
> Jonathan
>

They are stored in a hidden attribute called 'nTSecurityDescriptor' and 
if you want to see it, you will have to explicitly ask for it e.g.

ldbedit -e nano -H /usr/local/samba/private/sam.ldb -b 
OU=SUDOers,DC=samdom,DC=example,DC=com -s sub 
"(&(objectClass=organizationalUnit)(objectCategory=organizationalUnit))" 
nTSecurityDescriptor

Which will return something like this:

# editing 1 records
# record 1
dn: OU=SUDOers,DC=samdom,DC=example,DC=com
nTSecurityDescriptor: 
O:DAG:DAD:AI(A;CI;RPLCRC;;;DU)(A;;RPWPCRCCDCLCLORCWOWDSD
  DTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(OA;;CCDC;bf967a86-0de6-11d0-a2
  85-00aa003049e2;;AO)(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)(OA;;C
  CDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967aa8-0de6-11d0-a28
  5-00aa003049e2;;PO)(A;;RPLCLORC;;;AU)(A;;RPLCLORC;;;ED)(OA;;CCDC;4828cc14-143
  7-45bc-9b07-ad6f015e5f28;;AO)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e05
  29;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;4c164200-20c0-11d0-a
  768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;5f2020
  10-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CI
  IOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa0030
  49e2;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc
  -9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf96
  7aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c
  04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;59ba2f42-79a2
  -11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP
  ;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU
  )(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-0
  0aa003049e2;RU)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0d
  e6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f6
  08;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-8
  54e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RPLCLORC;
  ;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RPLCLORC;;bf967a9c-0de6-1
  1d0-a285-00aa003049e2;RU)(OA;CIIOID;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003
  049e2;RU)(OA;CIID;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;CIID;RPW
  PCRCCDCLCLORCWOWDSDDTSW;;;EA)(A;CIID;LC;;;RU)(A;CIID;RPWPCRCCLCLORCWOWDSDSW;;
  ;BA)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0
  -a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf96
  7aa5-0de6-11d0-a285-00aa003049e2;WD)

For a start on what the above means, see here:

http://www.netid.washington.edu/documentation/domains/sddl.aspx

Rowland

More information about the samba mailing list