[Samba] LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?

Rowland Penny rpenny at samba.org
Wed Nov 22 17:49:17 UTC 2023

On Wed, 22 Nov 2023 17:33:37 +0000
Jonathan Hunter via samba <samba at lists.samba.org> wrote:

> On Wed, 22 Nov 2023 at 01:03, Andrew Bartlett <abartlet at samba.org>
> wrote:
> > Are you sure that the ACLs on all the items in the chain should
> > allow reading?
> It's an excellent question, thank you - I'd like to just say "Yes" but
> I will certainly check, as it's of course possible that my domain was
> misconfigured previously, and the change has in fact introduced
> correct behaviour..
> Am I right in thinking that the objects I need to look at are
> - the group itself
> - all (some?) members of the group
> - any others?
> Are permissions checked in a hiearchical fashion, i.e. if OU=myou does
> not allow a particular user to read it, then would
> CN=somegroup,OU=myou still be denied regardless of the explicit
> permissions on the CN=somegroup,OU=myou object? And I believe I'm
> correct in thinking that a user can be a member of a group, even
> though that user might not have permission to read the group
> themselves...?
> Is there a programmatical way of viewing permissions on all these
> objects, or am I best manually going through with the 'ldifde'
> Windows tool (which I think is what I originally used to set the
> permissions in the first place)?
> Many thanks
> Jonathan

samba-tool dsacl get --help


More information about the samba mailing list