[Samba] LDB Tools best practices

Perttu Aaltonen perttu.aaltonen at mac.com
Fri Oct 27 09:11:15 UTC 2023

> On 27. Oct 2023, at 11.53, Kees van Vloten via samba <samba at lists.samba.org> wrote:
> Op 27-10-2023 om 10:32 schreef Perttu Aaltonen via samba:
>>> On 26. Oct 2023, at 17.49, Rowland Penny via samba <samba at lists.samba.org> wrote:
>>> On Thu, 26 Oct 2023 17:02:34 +0300
>>> Perttu Aaltonen via samba <samba at lists.samba.org> wrote:
>>>> Quick question. Can the LDB tools that modify the database files
>>>> directly be used without stopping Samba DC? Specifically ldbmodify?
>>> No problem, also you can use the machine password '-P' for most searches
>>>> What about when there are more than one DC? Anything to take into
>>>> account or best practices?
>>> The better question would be, 'What if there are multiple sysadmins ?',
>>> you should always have more than one DC.
>>> With multiple sysadmins, you could get 'collisions', especially if they
>>> try to change the same object on different DCs, so best practice would
>>> be to always do any changes on one DC (Usually the one holding the
>>> PDC_Emulator FSMO role).
>>> Rowland
>> Thanks Rowland. Now to write a ldbmodify script...
> Probably something like this:
> cat << EOF > ldbmod
> dn: <DN TO CHANGE>
> changetype: modify
> replace: <ATTR TO CHANGE>
> ldbmodify -H /var/lib/samba/private/sam.ldb ldbmod
> - Kees.

Indeed, that is something like I’m going to do. The only thing I’m wondering about, not having tested it yet, is how does it behave if there’s already an attribute with the same content? I want to add the mail attribute to each DN, but some might already have it. So if I use ‘add’ will it just error out or will add it a second time?

In that case I’ll check first to see if the addition is required.


More information about the samba mailing list