[Samba] LDAP permissions - ldbedit/ldapmodify?

[Jonathan Hunter]

On 5 Jan 2016 09:59, "Rowland penny" <rpenny at samba.org> wrote:
>
> On 04/01/16 23:26, Jonathan Hunter wrote:
>> However, "wbinfo -s S-1-5-21-000000000-1111111111-2222222222-1234" does
not
>> return "DOMAIN\mysecretou Managers" as it should - but rather
>> "DOMAIN\mysecretou Managers 2", which is not the name of the group and is
>> also not what shows up in ADUC. I wonder if this is actually the root of
my
>> problems.
>
> Probably not, if I get the sid for domain Admins and then turn it back
into the name, I get this:
[...]
> I tried it with Enterprise Admins and got similar results, a 2 tagged on
the end, this must be a wbinfo artifact.

Phew, thank you - so it's not just me :) I hadn't used wbinfo / winbind in
anger previously.

So I am more confused now. Lets assume the groups are OK I.e. MYDOM\mygroup
is the same as MYDOM\mygroup 2.

This group is one of the SIDs showing up in the security descriptor for the
errant object, and I am definitely a member of this group (my user object
shows it listed via 'Member Of' in ADUC).

However, I cannot view the group's members - probably related to the object
for the group itself actually being inside the errant OU with the strict
permissions (although I am definitely a member, as above)

I'll try to use ldbedit to grant myself permissions on the OU again .. Is
ldbedit safe to use:
- on a running Samba server (or do I need to stop samba)
- in a multi-DC environment (or do I need to run it and make the same
changes on each DC)
? :)

Ta

J