[Samba] LDAP permissions - ldbedit/ldapmodify?

Rowland penny rpenny at samba.org
Tue Jan 5 09:54:52 UTC 2016

On 04/01/16 23:26, Jonathan Hunter wrote:
> The story gets deeper, also.. (nothing is ever easy, right? :-))
> Using the ldbsearch command above, I could at least view the SIDs that have
> access to the OU.
> One of them should be a group called "mysecretou Managers"; I can see from
> ADUC that my user is indeed still a member of this group (so far, so good).
> However, "wbinfo -s S-1-5-21-000000000-1111111111-2222222222-1234" does not
> return "DOMAIN\mysecretou Managers" as it should - but rather
> "DOMAIN\mysecretou Managers 2", which is not the name of the group and is
> also not what shows up in ADUC. I wonder if this is actually the root of my
> problems.

Probably not, if I get the sid for domain Admins and then turn it back 
into the name, I get this:

root at dc1:~# wbinfo -n Domain\ Admins
S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-512 SID_DOM_GROUP (2)
root at dc1:~# wbinfo -s S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-512
SAMDOM\Domain Admins 2

I tried it with Enterprise Admins and got similar results, a 2 tagged on 
the end, this must be a wbinfo artifact.


More information about the samba mailing list