search for: cinpid

Mandi! Rowland Penny via samba In chel di` si favelave... > S-1-5-21-160080369-3601385002-3131615632-1314 Bingo! Exactly the 'Restricted' group that own the users i use for generico LDAP access! I really think that we have found the trouble! Now... how can i fix it? ;-) And... why that vaule get not propagated?! Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66

...different: > > root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b > "DC=ad,DC=fvg,DC=lnf,DC=it" "(cn=prova123)" nTSecurityDescriptor # > record 1 dn: CN=prova123,CN=Aliases,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it > nTSecurityDescriptor: > O:DAG:DAD:AI(A;CINPID;RPLCRC;;;S-1-5-21-160080369-360138 > 5002-3131615632-1314) This one has an extra ACE and in readable form it is: (A;CINPID;RPLCRC;;;S-1-5-21-160080369-3601385002-3131615632-1314) "A" SDDL_ACCESS_ALLOWED ACCESS_ALLOWED_ACE_TYPE "CI" SDDL_CONTAINER_INHERIT CONTAINER_INH...

...Oh, cool! Seems effectivaly different: root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b "DC=ad,DC=fvg,DC=lnf,DC=it" "(cn=prova123)" nTSecurityDescriptor # record 1 dn: CN=prova123,CN=Aliases,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it nTSecurityDescriptor: O:DAG:DAD:AI(A;CINPID;RPLCRC;;;S-1-5-21-160080369-360138 5002-3131615632-1314)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828c c14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa 006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;5f202010-79a5- 11d0-9020-00c04fc2d4cf;482...

...Restricted' group that own the users i use for > generico LDAP access! > I really think that we have found the trouble! > > > Now... how can i fix it? ;-) Depends, do you want to add the ACE on other DC's or remove it ? You can add it with: samba-tool dsacl set --sddl=(A;CINPID;RPLCRC;;;S-1-5-21-160080369-3601385002-3131615632-1314) To remove it, you will have to use Windows tools unless somebody knows another way > > And... why that vaule get not propagated?! It should be propagated, so, no I don't know why it wasn't Rowland

Mandi! Rowland Penny via samba In chel di` si favelave... > Whilst there are attributes that do not get replicated between DC's, > the majority are, so each DC should allow the same access. > Do you have access to the DC ? > Can you run the search locally ? Sure! As just stated, local access (via ldbsearch against the local SAM) works as expected: root at vdcpp1:~# ldbsearch