[Samba] Different LDAP query in different DC...

[Rowland Penny]

On Thu, 29 Nov 2018 14:32:39 +0100
Marco Gaiarin via samba <samba at lists.samba.org> wrote:

> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
> 
> > You need to explicitly ask for it, for instance:
> 
> Oh, cool! Seems effectivaly different:
> 
> root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b
> "DC=ad,DC=fvg,DC=lnf,DC=it" "(cn=prova123)" nTSecurityDescriptor #
> record 1 dn: CN=prova123,CN=Aliases,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it
> nTSecurityDescriptor:
> O:DAG:DAD:AI(A;CINPID;RPLCRC;;;S-1-5-21-160080369-360138
> 5002-3131615632-1314)

This one has an extra ACE and in readable form it is:

(A;CINPID;RPLCRC;;;S-1-5-21-160080369-3601385002-3131615632-1314)

"A" 	SDDL_ACCESS_ALLOWED 	ACCESS_ALLOWED_ACE_TYPE

"CI" 	SDDL_CONTAINER_INHERIT 	CONTAINER_INHERIT_ACE
"NP" 	SDDL_NO_PROPAGATE 	NO_PROPAGATE_INHERIT_ACE
"ID" 	SDDL_INHERITED 	        INHERITED_ACE

"RP"    SDDL_READ_PROPERTY
"LC"    SDDL_LIST_CHILDREN
"RC"    SDDL_READ_CONTROL

account_sid: SID string that identifies the trustee of the ACE.

S-1-5-21-160080369-3601385002-3131615632-1314

Is this the one with the problem ?
Who or what has the RID '1314' ?

Rowland