[Samba] limit access to personal information

Christian chanlists at googlemail.com
Sat Jun 4 06:13:29 UTC 2022

Dear all,

I am trying to limit the access to personal information in our AD (we 
run Debian bullseye on our DCs with Louis's 4.15 packages, in case that 

The first obstacle seems to be that there is an explicit ACL on every 
user allowing read access to personal information for every 
authenticated user.

My understanding is that this ACL comes from the default acl on user 
objects. I have found that default entry in the schema management MMC 
snap-in but am unable to remove it even as a domain admin. The error 
message is

"Unable to save permission changes on User. The server is unwilling to 
process the request."

Is there some other way I should be doing this?

For existing users, I would have to remove the explicit allow ACL. Is 
there a good way to do this programmatically, preferably on Linux? I 
have looked at samba-tool dsacl set, but there is very little 
documentation out there...

The rest of the question is not strictly samba-related, but I assume I 
will have to create a group that contains all users that should not be 
granted access to personal information (most users for us, in fact) and 
place a deny ACL on an OU somewhere up in the tree where it can affect 
all users...

It seems somewhat complicated though. I would much rather work with an 
explicit allow to grant specific users access. My understanding is that 
this is not possible because the personal information does not have the 
"confidential" bit set??? And changing that would involve fooling around 
with the schema again???

The other option, as I understand, would be to introduce custom fields 
through a schema modification to store the personal information, but 
that would have the disadvantage that the non-standard fields would not 
be known to third-party tools.

Thanks for any insights. There is surprisingly little information on 
this out there.... Best wishes,


PS: Links I found most useful:



More information about the samba mailing list