search for: rplcrc

Mandi! Rowland Penny via samba In chel di` si favelave... > S-1-5-21-160080369-3601385002-3131615632-1314 Bingo! Exactly the 'Restricted' group that own the users i use for generico LDAP access! I really think that we have found the trouble! Now... how can i fix it? ;-) And... why that vaule get not propagated?! Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66

...nt: > > root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b > "DC=ad,DC=fvg,DC=lnf,DC=it" "(cn=prova123)" nTSecurityDescriptor # > record 1 dn: CN=prova123,CN=Aliases,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it > nTSecurityDescriptor: > O:DAG:DAD:AI(A;CINPID;RPLCRC;;;S-1-5-21-160080369-360138 > 5002-3131615632-1314) This one has an extra ACE and in readable form it is: (A;CINPID;RPLCRC;;;S-1-5-21-160080369-3601385002-3131615632-1314) "A" SDDL_ACCESS_ALLOWED ACCESS_ALLOWED_ACE_TYPE "CI" SDDL_CONTAINER_INHERIT CONTAINER_INHERIT_AC...

...ool! Seems effectivaly different: root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b "DC=ad,DC=fvg,DC=lnf,DC=it" "(cn=prova123)" nTSecurityDescriptor # record 1 dn: CN=prova123,CN=Aliases,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it nTSecurityDescriptor: O:DAG:DAD:AI(A;CINPID;RPLCRC;;;S-1-5-21-160080369-360138 5002-3131615632-1314)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828c c14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa 006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;5f202010-79a5- 11d0-9020-00c04fc2d4cf;4828cc14-1...

...ted' group that own the users i use for > generico LDAP access! > I really think that we have found the trouble! > > > Now... how can i fix it? ;-) Depends, do you want to add the ACE on other DC's or remove it ? You can add it with: samba-tool dsacl set --sddl=(A;CINPID;RPLCRC;;;S-1-5-21-160080369-3601385002-3131615632-1314) To remove it, you will have to use Windows tools unless somebody knows another way > > And... why that vaule get not propagated?! It should be propagated, so, no I don't know why it wasn't Rowland

...er add? ${TestUser} ${TestUserPWD} --userou OU=${TestOU} # add TestUser to TestGroup samba-tool group addmembers ${TestGroup} ${TestUser} # set OWNER RIGHTS only for OU Test1_with_Owner-Rights samba-tool dsacl set --objectdn "OU=Test1_with_Owner-Rights,${Test_OU_DN}" --sddl="(A;CI;RPLCRC;;;S-1-3-4)" # get groupid and sid from TestGroup # groupid=$(samba-tool group show ${TestGroup} --attributes=objectGUID | grep objectGUID | cut -d " " -f2 -) sid=$(samba-tool group show ${TestGroup} --attributes=objectSid | grep objectSid | cut -d " " -f2 -) # Organizat...

...C=samdom,DC=example,DC=com -s sub "(&(objectClass=organizationalUnit)(objectCategory=organizationalUnit))" nTSecurityDescriptor Which will return something like this: # editing 1 records # record 1 dn: OU=SUDOers,DC=samdom,DC=example,DC=com nTSecurityDescriptor: O:DAG:DAD:AI(A;CI;RPLCRC;;;DU)(A;;RPWPCRCCDCLCLORCWOWDSD DTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(OA;;CCDC;bf967a86-0de6-11d0-a2 85-00aa003049e2;;AO)(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)(OA;;C CDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967aa8-0de6-11d0-a28 5-00aa003049e2;;PO)(A;;RP...

Hi, A while ago I successfully set permissions on a section of my LDAP / AD tree, using either ADUC or ADSIEDIT (I forget which). These permissions allowed my own user to access this section of the tree; I removed permissions for 'Domain Admins' etc. to ensure that others would not be able to view or change the data - this has worked great for many months. I have just tried to add a new

Mandi! Rowland Penny via samba In chel di` si favelave... > Whilst there are attributes that do not get replicated between DC's, > the majority are, so each DC should allow the same access. > Do you have access to the DC ? > Can you run the search locally ? Sure! As just stated, local access (via ldbsearch against the local SAM) works as expected: root at vdcpp1:~# ldbsearch