[Samba] LDAP permissions - ldbedit/ldapmodify?
jmhunter1 at gmail.com
Mon Jan 4 22:34:44 UTC 2016
Thank you, Rowland!
On 4 January 2016 at 10:36, Rowland penny <rpenny at samba.org> wrote:
> On 04/01/16 01:43, Jonathan Hunter wrote:
>> I can view the data using ldbsearch when logged in as root on the DC
>> - but how do I view the permissions and edit them from the commandline?
> They are stored in a hidden attribute called 'nTSecurityDescriptor' and if
> you want to see it, you will have to explicitly ask for it e.g.
> ldbedit -e nano -H /usr/local/samba/private/sam.ldb -b
> OU=SUDOers,DC=samdom,DC=example,DC=com -s sub
Perfect, thank you - I can now see this attribute. I also figured out that
by adding "--show-binary" to the end of the ldbsearch command I was
running, I could get a more user-readable version of the security
# ldbsearch -H /usr/local/samba/private/sam.ldb -s base -b
ou=mysecretou,dc=mydomain,dc=org,dc=uk nTSecurityDescriptor --show-binary
# record 1
nTSecurityDescriptor: NDR: struct security_descriptor
revision : SECURITY_DESCRIPTOR_REVISION_1 (1)
type : 0x9d17 (40215)
owner_sid : *
group_sid : *
sacl : *
sacl: struct security_acl
revision : SECURITY_ACL_REVISION_ADS (4)
size : 0x0078 (120)
num_aces : 0x00000002 (2)
I assume that it isn't safe to use ldbedit in a multi-DC environment,
though, particularly whilst Samba is running.. but maybe I am
under-estimating its capabilities? From https://ldb.samba.org/ it is "Safe
multi-reader, multi-writer, using byte range locking".. but even if so,
what would tell Samba to replicate the change I just made to the other DCs?
It looks like I can use ldbedit with "-H ldap://localhost -P" - but via
this route, I can't view the nTSecurityDescriptor attribute (presumably
because I don't have permissions)
To make my change, then, would I have to shut down Samba on all DCs; make
the change with ldbedit independently on all DCs; then restart Samba? Or is
there another way of applying the change on multiple DCs, perhaps?
Many thanks :)
To unsubscribe from this list go to the following URL and read the
"If we knew what it was we were doing, it would not be called research,
- Albert Einstein
More information about the samba