[Samba] LDAP permissions - ldbedit/ldapmodify?

Jonathan Hunter jmhunter1 at gmail.com
Mon Jan 4 22:34:44 UTC 2016

Thank you, Rowland!

On 4 January 2016 at 10:36, Rowland penny <rpenny at samba.org> wrote:

> On 04/01/16 01:43, Jonathan Hunter wrote:
>> I can view the data using ldbsearch when logged in as root on the DC
>> itself
>> - but how do I view the permissions and edit them from the commandline?
> They are stored in a hidden attribute called 'nTSecurityDescriptor' and if
> you want to see it, you will have to explicitly ask for it e.g.
> ldbedit -e nano -H /usr/local/samba/private/sam.ldb -b
> OU=SUDOers,DC=samdom,DC=example,DC=com -s sub
> "(&(objectClass=organizationalUnit)(objectCategory=organizationalUnit))"
> nTSecurityDescriptor

Perfect, thank you - I can now see this attribute. I also figured out that
by adding "--show-binary" to the end of the ldbsearch command I was
running, I could get a more user-readable version of the security

# ldbsearch -H /usr/local/samba/private/sam.ldb -s base -b
ou=mysecretou,dc=mydomain,dc=org,dc=uk nTSecurityDescriptor --show-binary
# record 1
dn: ou=mysecretou,dc=mydomain,DC=ninja,DC=org,DC=uk
nTSecurityDescriptor:     NDR: struct security_descriptor
        revision                 : SECURITY_DESCRIPTOR_REVISION_1 (1)
        type                     : 0x9d17 (40215)
               1: SEC_DESC_OWNER_DEFAULTED
               1: SEC_DESC_GROUP_DEFAULTED
               1: SEC_DESC_DACL_PRESENT
               0: SEC_DESC_DACL_DEFAULTED

               0: SEC_DESC_RM_CONTROL_VALID
               1: SEC_DESC_SELF_RELATIVE
        owner_sid                : *
            owner_sid                :
        group_sid                : *
            group_sid                :
        sacl                     : *
            sacl: struct security_acl
                revision                 : SECURITY_ACL_REVISION_ADS (4)
                size                     : 0x0078 (120)
                num_aces                 : 0x00000002 (2)

I assume that it isn't safe to use ldbedit in a multi-DC environment,
though, particularly whilst Samba is running.. but maybe I am
under-estimating its capabilities? From https://ldb.samba.org/ it is "Safe
multi-reader, multi-writer, using byte range locking".. but even if so,
what would tell Samba to replicate the change I just made to the other DCs?

It looks like I can use ldbedit with "-H ldap://localhost -P" - but via
this route, I can't view the nTSecurityDescriptor attribute (presumably
because I don't have permissions)

To make my change, then, would I have to shut down Samba on all DCs; make
the change with ldbedit independently on all DCs; then restart Samba? Or is
there another way of applying the change on multiple DCs, perhaps?

Many thanks :)


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

"If we knew what it was we were doing, it would not be called research,
would it?"
      - Albert Einstein

More information about the samba mailing list