Hi,
A while ago I successfully set permissions on a section of my LDAP / AD
tree, using either ADUC or ADSIEDIT (I forget which). These permissions
allowed my own user to access this section of the tree; I removed
permissions for 'Domain Admins' etc. to ensure that others would not be
able to view or change the data - this has worked great for many months.
I have just tried to add a new entry to this section of the tree, but I
appear to have locked myself out somehow. I don't know if this is because I
recently made some idmap changes and therefore my UID has changed, or for
some other reason - so I am asking on here to find out where the LDAP
permissions are stored. Hopefully I can reset the permissions and regain
access.
I can view the data using ldbsearch when logged in as root on the DC itself
- but how do I view the permissions and edit them from the commandline? The
data is all present and correct:
mydc1# ldbsearch -H /usr/local/samba/private/sam.ldb -s sub -b
ou=mysecretou,dc=mydomain,dc=org,dc=uk
[...]
# returned 127 records
# 127 entries
# 0 referrals
Even logging in as MYDOMAIN\Administrator I can't view or change the
permissions of ou=mysecretou using ADUC/ADSIEdit (This is exactly as I
originally set it). So, how can I change the permissions from the
commandline? Do I use ldbedit on a with different parameters, or on a
separate ldb file? Is there a "ldapmodify" command I can run - this
would
presumably work better, as any changes would then be replicated to other
DCs as well.
Thanks!
Jonathan
--
"If we knew what it was we were doing, it would not be called research,
would it?"
- Albert Einstein
On 04/01/16 01:43, Jonathan Hunter wrote:> Hi, > > A while ago I successfully set permissions on a section of my LDAP / AD > tree, using either ADUC or ADSIEDIT (I forget which). These permissions > allowed my own user to access this section of the tree; I removed > permissions for 'Domain Admins' etc. to ensure that others would not be > able to view or change the data - this has worked great for many months. > > I have just tried to add a new entry to this section of the tree, but I > appear to have locked myself out somehow. I don't know if this is because I > recently made some idmap changes and therefore my UID has changed, or for > some other reason - so I am asking on here to find out where the LDAP > permissions are stored. Hopefully I can reset the permissions and regain > access. > > I can view the data using ldbsearch when logged in as root on the DC itself > - but how do I view the permissions and edit them from the commandline? The > data is all present and correct: > > mydc1# ldbsearch -H /usr/local/samba/private/sam.ldb -s sub -b > ou=mysecretou,dc=mydomain,dc=org,dc=uk > [...] > # returned 127 records > # 127 entries > # 0 referrals > > Even logging in as MYDOMAIN\Administrator I can't view or change the > permissions of ou=mysecretou using ADUC/ADSIEdit (This is exactly as I > originally set it). So, how can I change the permissions from the > commandline? Do I use ldbedit on a with different parameters, or on a > separate ldb file? Is there a "ldapmodify" command I can run - this would > presumably work better, as any changes would then be replicated to other > DCs as well. > > Thanks! > > Jonathan >They are stored in a hidden attribute called 'nTSecurityDescriptor' and if you want to see it, you will have to explicitly ask for it e.g. ldbedit -e nano -H /usr/local/samba/private/sam.ldb -b OU=SUDOers,DC=samdom,DC=example,DC=com -s sub "(&(objectClass=organizationalUnit)(objectCategory=organizationalUnit))" nTSecurityDescriptor Which will return something like this: # editing 1 records # record 1 dn: OU=SUDOers,DC=samdom,DC=example,DC=com nTSecurityDescriptor: O:DAG:DAD:AI(A;CI;RPLCRC;;;DU)(A;;RPWPCRCCDCLCLORCWOWDSD DTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(OA;;CCDC;bf967a86-0de6-11d0-a2 85-00aa003049e2;;AO)(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)(OA;;C CDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967aa8-0de6-11d0-a28 5-00aa003049e2;;PO)(A;;RPLCLORC;;;AU)(A;;RPLCLORC;;;ED)(OA;;CCDC;4828cc14-143 7-45bc-9b07-ad6f015e5f28;;AO)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e05 29;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;4c164200-20c0-11d0-a 768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;5f2020 10-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CI IOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa0030 49e2;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc -9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf96 7aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c 04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;59ba2f42-79a2 -11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP ;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU )(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-0 0aa003049e2;RU)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0d e6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f6 08;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-8 54e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RPLCLORC; ;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RPLCLORC;;bf967a9c-0de6-1 1d0-a285-00aa003049e2;RU)(OA;CIIOID;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003 049e2;RU)(OA;CIID;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;CIID;RPW PCRCCDCLCLORCWOWDSDDTSW;;;EA)(A;CIID;LC;;;RU)(A;CIID;RPWPCRCCLCLORCWOWDSDSW;; ;BA)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0 -a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf96 7aa5-0de6-11d0-a285-00aa003049e2;WD) For a start on what the above means, see here: http://www.netid.washington.edu/documentation/domains/sddl.aspx Rowland
Thank you, Rowland! On 4 January 2016 at 10:36, Rowland penny <rpenny at samba.org> wrote:> On 04/01/16 01:43, Jonathan Hunter wrote: > >> I can view the data using ldbsearch when logged in as root on the DC >> itself >> - but how do I view the permissions and edit them from the commandline? >> > > They are stored in a hidden attribute called 'nTSecurityDescriptor' and if > you want to see it, you will have to explicitly ask for it e.g. > > ldbedit -e nano -H /usr/local/samba/private/sam.ldb -b > OU=SUDOers,DC=samdom,DC=example,DC=com -s sub > "(&(objectClass=organizationalUnit)(objectCategory=organizationalUnit))" > nTSecurityDescriptor >Perfect, thank you - I can now see this attribute. I also figured out that by adding "--show-binary" to the end of the ldbsearch command I was running, I could get a more user-readable version of the security descriptor: # ldbsearch -H /usr/local/samba/private/sam.ldb -s base -b ou=mysecretou,dc=mydomain,dc=org,dc=uk nTSecurityDescriptor --show-binary # record 1 dn: ou=mysecretou,dc=mydomain,DC=ninja,DC=org,DC=uk nTSecurityDescriptor: NDR: struct security_descriptor revision : SECURITY_DESCRIPTOR_REVISION_1 (1) type : 0x9d17 (40215) 1: SEC_DESC_OWNER_DEFAULTED 1: SEC_DESC_GROUP_DEFAULTED 1: SEC_DESC_DACL_PRESENT 0: SEC_DESC_DACL_DEFAULTED [...] 0: SEC_DESC_RM_CONTROL_VALID 1: SEC_DESC_SELF_RELATIVE owner_sid : * owner_sid : S-1-5-21-197107965-2004198405-1252158227-512 group_sid : * group_sid : S-1-5-21-197107965-2004198405-1252158227-512 sacl : * sacl: struct security_acl revision : SECURITY_ACL_REVISION_ADS (4) size : 0x0078 (120) num_aces : 0x00000002 (2) [...] I assume that it isn't safe to use ldbedit in a multi-DC environment, though, particularly whilst Samba is running.. but maybe I am under-estimating its capabilities? From https://ldb.samba.org/ it is "Safe multi-reader, multi-writer, using byte range locking".. but even if so, what would tell Samba to replicate the change I just made to the other DCs? It looks like I can use ldbedit with "-H ldap://localhost -P" - but via this route, I can't view the nTSecurityDescriptor attribute (presumably because I don't have permissions) To make my change, then, would I have to shut down Samba on all DCs; make the change with ldbedit independently on all DCs; then restart Samba? Or is there another way of applying the change on multiple DCs, perhaps? Many thanks :) Jonathan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein