John Lewis
2015-Feb-15 17:56 UTC
[Samba] What options do I have to create OUs and ACLs in Samba4?
I need to create a couple of OUs under Users to separate my internal users from my external users that have LDAP backed accounts so I can put ACLs over the external users so I can limit what they can see on the tree. What options do I have to create the OUs and the ACLs in a Samba4 AD-DC domain?
Marc Muehlfeld
2015-Feb-15 18:27 UTC
[Samba] What options do I have to create OUs and ACLs in Samba4?
Hello John, Am 15.02.2015 um 18:56 schrieb John Lewis:> I need to create a couple of OUs under Users to separate my internal > users from my external users that have LDAP backed accounts so I can put > ACLs over the external users so I can limit what they can see on the > tree. What options do I have to create the OUs and the ACLs in a Samba4 > AD-DC domain?The comfortable, easy and recommended way: Use ADUC. https://wiki.samba.org/index.php/Installing_RSAT_on_Windows_for_AD_Management The (very) unattractive way: OUs you can create LDAP-style via importing LDIFs. ACLs can be set via samba-tool. But as far as I know, we don't have any documentation yet about "samba-tool dsacl set". Here is an example, that I found on the internet and the output it produces: https://cpaste.org/py3kczpjk/ra3wba/raw It seems to do something. But I have no idea what :-) Regards, Marc
Rowland Penny
2015-Feb-15 19:37 UTC
[Samba] What options do I have to create OUs and ACLs in Samba4?
On 15/02/15 18:27, Marc Muehlfeld wrote:> Hello John, > > Am 15.02.2015 um 18:56 schrieb John Lewis: >> I need to create a couple of OUs under Users to separate my internal >> users from my external users that have LDAP backed accounts so I can put >> ACLs over the external users so I can limit what they can see on the >> tree. What options do I have to create the OUs and the ACLs in a Samba4 >> AD-DC domain? > The comfortable, easy and recommended way: Use ADUC. > https://wiki.samba.org/index.php/Installing_RSAT_on_Windows_for_AD_Management > > > The (very) unattractive way: OUs you can create LDAP-style via importing > LDIFs. ACLs can be set via samba-tool. But as far as I know, we don't > have any documentation yet about "samba-tool dsacl set". Here is an > example, that I found on the internet and the output it produces: > https://cpaste.org/py3kczpjk/ra3wba/raw > It seems to do something. But I have no idea what :-) > > > Regards, > MarcFYI Marc, It is allowing 'Domain Computers' access to "CN=demo01,CN=Users,DC=samdom,DC=example,DC=com", the container will inherit ACES and 'Domain Computers' can read the sddls, list children and read control. :-) See here: https://msdn.microsoft.com/en-gb/library/windows/desktop/aa374928%28v=vs.85%29.aspx and here: https://msdn.microsoft.com/en-gb/library/windows/desktop/aa379602%28v=vs.85%29.aspx