[Samba] LDAP permissions - ldbedit/ldapmodify?

Jonathan Hunter jmhunter1 at gmail.com
Tue Jan 5 21:24:21 UTC 2016


On 5 January 2016 at 15:02, Jonathan Hunter <jmhunter1 at gmail.com> wrote:

> I'll try to use ldbedit to grant myself permissions on the OU again .. Is
> ldbedit safe to use:
>
> - on a running Samba server (or do I need to stop samba)
> - in a multi-DC environment (or do I need to run it and make the same
> changes on each DC)
>
Answering my own question here... it would appear not:
http://www.spinics.net/lists/samba/msg113387.html

So, I'm now not certain what the "correct" way to fix this is.

I don't think I can use ldapmodify, as none of the users (me!) who should
have access via LDAP actually do have access, so the AD side of things
would just reject the modify request. I did deliberately remove the
Administrators groups so that only my user group would have access.

And I don't think I can use ldbedit, as I may screw up indexes (perhaps
not, in the ntSecurityDescriptor edit case) and the changes wouldn't
replicate.. unless I perhaps use ldbedit on one DC to grant the permissions
back to myself, then use ADUC pointed at that DC to change the OU entry,
which should trigger a replication of the current entry across to other
DCs....

I guess there may be no other way, though..?


-- 
"If we knew what it was we were doing, it would not be called research,
would it?"
      - Albert Einstein


More information about the samba mailing list