On Mon, 2022-09-12 at 11:33 +0200, Pavel B?ezina via samba
wrote:> Hi,
> I have SSSD connected to an instance of Samba DC with imported
> custom
> schema. I'm using python-ldap and Administrator account to create an
> organizational unit and objects with an object class from the custom
> schema.
>
> However, it seems that it lacks proper ACL as it is only visible
> when
> using Administrator account and not when using the client computer
> account (through GSSAPI auth).
>
> Is there any way I can make this organizational unit and its subtree
> accessible?
Yes, you need to set the NT ACL on the objects, or for new objects on
the default SD in the schema. Perhaps there is no SD at all!
Most Samba users don't spend much time with custom objectclasses, so I
sadly there are not great tools, and SDDL - the text-based language
that can represent an NT ACL in ntSecurityDescriptor - approaches line noise for
inteligability.
You might get some joy using ADSI Editor on windows.
Sorry I can't help more.
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open Source
Solutions