[Samba] LDB Tools best practices

Rowland Penny rpenny at samba.org
Fri Oct 27 09:41:57 UTC 2023 

On Fri, 27 Oct 2023 12:11:15 +0300
Perttu Aaltonen via samba <samba at lists.samba.org> wrote:

> 
> > On 27. Oct 2023, at 11.53, Kees van Vloten via samba
> > <samba at lists.samba.org> wrote:
> > 
> > 
> > Op 27-10-2023 om 10:32 schreef Perttu Aaltonen via samba:
> >>> On 26. Oct 2023, at 17.49, Rowland Penny via samba
> >>> <samba at lists.samba.org> wrote:
> >>> 
> >>> On Thu, 26 Oct 2023 17:02:34 +0300
> >>> Perttu Aaltonen via samba <samba at lists.samba.org> wrote:
> >>> 
> >>>> Quick question. Can the LDB tools that modify the database files
> >>>> directly be used without stopping Samba DC? Specifically
> >>>> ldbmodify?
> >>> No problem, also you can use the machine password '-P' for most
> >>> searches
> >>> 
> >>>> What about when there are more than one DC? Anything to take into
> >>>> account or best practices?
> >>> The better question would be, 'What if there are multiple
> >>> sysadmins ?', you should always have more than one DC.
> >>> 
> >>> With multiple sysadmins, you could get 'collisions', especially
> >>> if they try to change the same object on different DCs, so best
> >>> practice would be to always do any changes on one DC (Usually the
> >>> one holding the PDC_Emulator FSMO role).
> >>> 
> >>> Rowland
> >>> 
> >> Thanks Rowland. Now to write a ldbmodify script...
> > 
> > Probably something like this:
> > 
> > cat << EOF > ldbmod
> > dn: <DN TO CHANGE>
> > changetype: modify
> > replace: <ATTR TO CHANGE>
> > <ATTR TO CHANGE>: <NEW VALUE FOR THE ATTR>
> > EOF
> > ldbmodify -H /var/lib/samba/private/sam.ldb ldbmod

You do not need to 'cat' it to a file, you can 'pipe' it through
ldbmodify.

> > 
> > - Kees.
> > 
> 
> Indeed, that is something like I’m going to do. The only thing I’m
> wondering about, not having tested it yet, is how does it behave if
> there’s already an attribute with the same content? I want to add the
> mail attribute to each DN, but some might already have it. So if I
> use ‘add’ will it just error out or will add it a second time?
> 
> In that case I’ll check first to see if the addition is required.

I suggest you search for the user first with a
search_filter similar to this:

(&(objectCategory=person)(objectClass=user)(sAMAccountName=$USER))

If not found, move on to the next user.
If found, you could either grep the users object for its mail attribute
and if one is found compare it with what you would like to add, or you
could search again using a filter like this:

(&(objectCategory=person)(objectClass=user)(sAMAccountName=$USER)(mail=$MAIL_ADDRESS))

Where '$USER' is the users samaccountname and '$MAIL_ADDRESS' is the
email address you want that user to have. If it returns anything the
email address is already set correctly.

Rowland

More information about the samba mailing list