[Samba] samba4 auth (ldap) starnge problem

Rowland Penny rpenny at samba.org
Fri Apr 20 10:54:13 UTC 2018

On Fri, 20 Apr 2018 12:36:37 +0200
"Dr. Peer-Joachim Koch via samba" <samba at lists.samba.org> wrote:

> On 20.04.2018 11:26, Rowland Penny via samba wrote:
> > Probably, but wouldn't it be easier to just dump the AD object of a
> > user that works and the AD object of one that doesn't and then
> > compare them ?
> How can I compare it ?
> ldapsearch for both accounts does not show any differences (for
> me) ...

This where it gets difficult ;-)
There are attributes that don't get displayed by default,
'nTSecurityDescriptor' is one of them, this contains the ACES that
allow or deny access to the object, perhaps this is what has changed.
To see this, you have to ask for it by adding 'nTSecurityDescriptor' at
the end of the ldapsearch.

See here for a list of user attributes:



More information about the samba mailing list