[Samba] LDAP permissions - ldbedit/ldapmodify?

Rowland penny rpenny at samba.org
Tue Jan 5 21:53:06 UTC 2016

On 05/01/16 21:24, Jonathan Hunter wrote:
> On 5 January 2016 at 15:02, Jonathan Hunter <jmhunter1 at gmail.com> wrote:
>> I'll try to use ldbedit to grant myself permissions on the OU again .. Is
>> ldbedit safe to use:
>> - on a running Samba server (or do I need to stop samba)
>> - in a multi-DC environment (or do I need to run it and make the same
>> changes on each DC)
> Answering my own question here... it would appear not:
> http://www.spinics.net/lists/samba/msg113387.html
> So, I'm now not certain what the "correct" way to fix this is.
> I don't think I can use ldapmodify, as none of the users (me!) who should
> have access via LDAP actually do have access, so the AD side of things
> would just reject the modify request. I did deliberately remove the
> Administrators groups so that only my user group would have access.
> And I don't think I can use ldbedit, as I may screw up indexes (perhaps
> not, in the ntSecurityDescriptor edit case) and the changes wouldn't
> replicate.. unless I perhaps use ldbedit on one DC to grant the permissions
> back to myself, then use ADUC pointed at that DC to change the OU entry,
> which should trigger a replication of the current entry across to other
> DCs....
> I guess there may be no other way, though..?

I think if you carefully read the link that you posted, Andrew said 
don't edit the files in sam.ldb.d directly. As far as I am aware, you 
can edit the sam.ldb file, in fact when I was trying out sssd with sudo 
sometime ago (before I got winbind to work for me), I manually edited an 
nTSecurityDescriptor attribute.

Whilst it worked for me, try at your own risk in a test environment.


More information about the samba mailing list