[Samba] LDAP permissions - ldbedit/ldapmodify?

Jonathan Hunter jmhunter1 at gmail.com
Mon Jan 4 23:26:01 UTC 2016

The story gets deeper, also.. (nothing is ever easy, right? :-))

Using the ldbsearch command above, I could at least view the SIDs that have
access to the OU.

One of them should be a group called "mysecretou Managers"; I can see from
ADUC that my user is indeed still a member of this group (so far, so good).

However, "wbinfo -s S-1-5-21-000000000-1111111111-2222222222-1234" does not
return "DOMAIN\mysecretou Managers" as it should - but rather
"DOMAIN\mysecretou Managers 2", which is not the name of the group and is
also not what shows up in ADUC. I wonder if this is actually the root of my

After I removed a number of old records from idmap.ldb a few weeks back
(you helped me a lot with xidNumber details, thank you - separate thread
here entitled "idmap & migration to rfc2307"), I did spot that a few groups
started to be displayed in this manner on my DC, i.e. "DOMAIN\My Group 2"
rather than "DOMAIN\My Group" as would be shown on Windows, and so on.

So far I have simply ignored these, as on the Windows side everything
seemed to be working fine and it was yet another Samba wierdness that I
needed to track down and debug.. but perhaps these issues are indeed
related :(

I did edit idmap.ldb and remove a number of old entries with invalid
xidNumbers; but at the time I couldn't figure out where the "DOMAIN\My
Group 2" entries were coming from, so I just left them :(

On 4 January 2016 at 22:34, Jonathan Hunter <jmhunter1 at gmail.com> wrote:

> Thank you, Rowland!
> On 4 January 2016 at 10:36, Rowland penny <rpenny at samba.org> wrote:
>> On 04/01/16 01:43, Jonathan Hunter wrote:
>>> I can view the data using ldbsearch when logged in as root on the DC
>>> itself
>>> - but how do I view the permissions and edit them from the commandline?
>> They are stored in a hidden attribute called 'nTSecurityDescriptor' and
>> if you want to see it, you will have to explicitly ask for it e.g.
>> ldbedit -e nano -H /usr/local/samba/private/sam.ldb -b
>> OU=SUDOers,DC=samdom,DC=example,DC=com -s sub
>> "(&(objectClass=organizationalUnit)(objectCategory=organizationalUnit))"
>> nTSecurityDescriptor
> Perfect, thank you - I can now see this attribute. I also figured out that
> by adding "--show-binary" to the end of the ldbsearch command I was
> running, I could get a more user-readable version of the security
> descriptor:
> # ldbsearch -H /usr/local/samba/private/sam.ldb -s base -b
> ou=mysecretou,dc=mydomain,dc=org,dc=uk nTSecurityDescriptor --show-binary
> # record 1
> dn: ou=mysecretou,dc=mydomain,DC=ninja,DC=org,DC=uk
> nTSecurityDescriptor:     NDR: struct security_descriptor
>         revision                 : SECURITY_DESCRIPTOR_REVISION_1 (1)
>         type                     : 0x9d17 (40215)
>                1: SEC_DESC_OWNER_DEFAULTED
>                1: SEC_DESC_GROUP_DEFAULTED
>                1: SEC_DESC_DACL_PRESENT
>                0: SEC_DESC_DACL_DEFAULTED
> [...]
>                0: SEC_DESC_RM_CONTROL_VALID
>                1: SEC_DESC_SELF_RELATIVE
>         owner_sid                : *
>             owner_sid                :
> S-1-5-21-197107965-2004198405-1252158227-512
>         group_sid                : *
>             group_sid                :
> S-1-5-21-197107965-2004198405-1252158227-512
>         sacl                     : *
>             sacl: struct security_acl
>                 revision                 : SECURITY_ACL_REVISION_ADS (4)
>                 size                     : 0x0078 (120)
>                 num_aces                 : 0x00000002 (2)
> [...]
> I assume that it isn't safe to use ldbedit in a multi-DC environment,
> though, particularly whilst Samba is running.. but maybe I am
> under-estimating its capabilities? From https://ldb.samba.org/ it is
> "Safe multi-reader, multi-writer, using byte range locking".. but even if
> so, what would tell Samba to replicate the change I just made to the other
> DCs?
> It looks like I can use ldbedit with "-H ldap://localhost -P" - but via
> this route, I can't view the nTSecurityDescriptor attribute (presumably
> because I don't have permissions)
> To make my change, then, would I have to shut down Samba on all DCs; make
> the change with ldbedit independently on all DCs; then restart Samba? Or is
> there another way of applying the change on multiple DCs, perhaps?
> Many thanks :)
> Jonathan
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> --
> "If we knew what it was we were doing, it would not be called research,
> would it?"
>       - Albert Einstein

"If we knew what it was we were doing, it would not be called research,
would it?"
      - Albert Einstein

More information about the samba mailing list