[Samba] Managing LDAP ACL

Andrew Bartlett abartlet at samba.org
Tue Sep 13 07:42:19 UTC 2022

On Mon, 2022-09-12 at 11:33 +0200, Pavel Březina via samba wrote:
> Hi,
> I have SSSD connected to an instance of Samba DC with imported
> custom 
> schema. I'm using python-ldap and Administrator account to create an 
> organizational unit and objects with an object class from the custom
> schema.
> However, it seems that it lacks proper ACL as it is only visible
> when 
> using Administrator account and not when using the client computer 
> account (through GSSAPI auth).
> Is there any way I can make this organizational unit and its subtree 
> accessible?

Yes, you need to set the NT ACL on the objects, or for new objects on
the default SD in the schema.  Perhaps there is no SD at all!

Most Samba users don't spend much time with custom objectclasses, so I
sadly there are not great tools, and SDDL - the text-based language
that can represent an NT ACL in ntSecurityDescriptor - approaches line noise for inteligability.  

You might get some joy using ADSI Editor on windows.

Sorry I can't help more.

Andrew Bartlett

Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source

More information about the samba mailing list