thr3ads.net - samba - [Samba] Different LDAP query in different DC... [Nov 2018]

If this information is useful, please help other people find it:
Share via:

Marco Gaiarin

2018-Nov-29 14:42 UTC

[Samba] Different LDAP query in different DC...

Mandi! Rowland Penny via samba
  In chel di` si favelave...
> S-1-5-21-160080369-3601385002-3131615632-1314
Bingo! Exactly the 'Restricted' group that own the users i use for
generico LDAP access!
I really think that we have found the trouble!


Now... how can i fix it? ;-)

And... why that vaule get not propagated?!


Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

Rowland Penny

2018-Nov-29 15:08 UTC

head link

[Samba] Different LDAP query in different DC...

On Thu, 29 Nov 2018 15:42:04 +0100
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
> 
> > S-1-5-21-160080369-3601385002-3131615632-1314
> 
> Bingo! Exactly the 'Restricted' group that own the users i use for
> generico LDAP access!
> I really think that we have found the trouble!
> 
> 
> Now... how can i fix it? ;-)
Depends, do you want to add the ACE on other DC's or remove it ?

You can add it with:

samba-tool dsacl set
--sddl=(A;CINPID;RPLCRC;;;S-1-5-21-160080369-3601385002-3131615632-1314)

To remove it, you will have to use Windows tools unless somebody knows
another way
> 
> And... why that vaule get not propagated?!
It should be propagated, so, no I don't know why it wasn't

Rowland

Marco Gaiarin

2018-Nov-30 09:04 UTC

head link

[Samba] Different LDAP query in different DC...

Mandi! Rowland Penny via samba
  In chel di` si favelave...
> You can add it with:
> samba-tool dsacl set
> --sddl=(A;CINPID;RPLCRC;;;S-1-5-21-160080369-3601385002-3131615632-1314)
I've done:

 root at vdcpp1:~# samba-tool dsacl set
--sddl='(A;CINPID;RPLCRC;;;S-1-5-21-160080369-3601385002-3131615632-1314)'
--objectdn=CN=prova123,CN=Aliases,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it

but the answer was:
 new descriptor for CN=prova123,CN=Aliases,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it:
 O:DAG:DAD:AI(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RPLCLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIID;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)(A;CIID;LC;;;RU)(A;CIID;RPWPCRCCLCLORCWOWDSDSW;;;BA)S:AI(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
 ERROR(<type 'exceptions.TypeError'>): uncaught exception - Unable
to parse SDDL
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 176, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/dsacl.py", line
174, in run
     self.add_ace(samdb, objectdn, new_ace)
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/dsacl.py", line
129, in add_ace
     desc = security.descriptor.from_sddl(desc_sddl, self.get_domain_sid(samdb))

I've also tried to remove and reset the ACL via ADUC, but nothing
changed.

I've removed that alias and recreate it, and now works. Boh.

> > And... why that vaule get not propagated?!
> It should be propagated, so, no I don't know why it wasn't
Strange. Anyway, sorry to the list...

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

Seemingly Similar Threads

Search for more seemingly similar threads

samba - Nov 2018 - Different LDAP query in different DC...

[Samba] Different LDAP query in different DC...

[Samba] Different LDAP query in different DC...

[Samba] Different LDAP query in different DC...

Seemingly Similar Threads