[Samba] LDAP permissions - ldbedit/ldapmodify?
Rowland penny
rpenny at samba.org
Tue Jan 5 21:53:06 UTC 2016
On 05/01/16 21:24, Jonathan Hunter wrote:
> On 5 January 2016 at 15:02, Jonathan Hunter <jmhunter1 at gmail.com> wrote:
>
>> I'll try to use ldbedit to grant myself permissions on the OU again .. Is
>> ldbedit safe to use:
>>
>> - on a running Samba server (or do I need to stop samba)
>> - in a multi-DC environment (or do I need to run it and make the same
>> changes on each DC)
>>
> Answering my own question here... it would appear not:
> http://www.spinics.net/lists/samba/msg113387.html
>
> So, I'm now not certain what the "correct" way to fix this is.
>
> I don't think I can use ldapmodify, as none of the users (me!) who should
> have access via LDAP actually do have access, so the AD side of things
> would just reject the modify request. I did deliberately remove the
> Administrators groups so that only my user group would have access.
>
> And I don't think I can use ldbedit, as I may screw up indexes (perhaps
> not, in the ntSecurityDescriptor edit case) and the changes wouldn't
> replicate.. unless I perhaps use ldbedit on one DC to grant the permissions
> back to myself, then use ADUC pointed at that DC to change the OU entry,
> which should trigger a replication of the current entry across to other
> DCs....
>
> I guess there may be no other way, though..?
>
>
I think if you carefully read the link that you posted, Andrew said
don't edit the files in sam.ldb.d directly. As far as I am aware, you
can edit the sam.ldb file, in fact when I was trying out sssd with sudo
sometime ago (before I got winbind to work for me), I manually edited an
nTSecurityDescriptor attribute.
Whilst it worked for me, try at your own risk in a test environment.
Rowland
More information about the samba
mailing list