[Samba] LDAP permissions - ldbedit/ldapmodify?
Rowland penny
rpenny at samba.org
Tue Jan 5 09:54:52 UTC 2016
On 04/01/16 23:26, Jonathan Hunter wrote:
> The story gets deeper, also.. (nothing is ever easy, right? :-))
>
> Using the ldbsearch command above, I could at least view the SIDs that have
> access to the OU.
>
> One of them should be a group called "mysecretou Managers"; I can see from
> ADUC that my user is indeed still a member of this group (so far, so good).
>
> However, "wbinfo -s S-1-5-21-000000000-1111111111-2222222222-1234" does not
> return "DOMAIN\mysecretou Managers" as it should - but rather
> "DOMAIN\mysecretou Managers 2", which is not the name of the group and is
> also not what shows up in ADUC. I wonder if this is actually the root of my
> problems.
Probably not, if I get the sid for domain Admins and then turn it back
into the name, I get this:
root at dc1:~# wbinfo -n Domain\ Admins
S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-512 SID_DOM_GROUP (2)
root at dc1:~# wbinfo -s S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-512
SAMDOM\Domain Admins 2
I tried it with Enterprise Admins and got similar results, a 2 tagged on
the end, this must be a wbinfo artifact.
Rowland
More information about the samba
mailing list