On 21/07/14 13:54, Jakub Hrozek wrote:
On Mon, Jul 21, 2014 at 01:47:47PM +0100, Rowland Penny wrote:
> On 21/07/14 11:15, Jakub Hrozek wrote:
>> On Mon, Jul 21, 2014 at 08:47:24AM +0100, Rowland Penny wrote:
>>>> Normally I use ADSI Edit to adit the permissions. If you right-click the
>>>> sudo container in ADSI, select properties and then go to the Security
Tab,
>>>> do you "Authenticated users" there ? btw I'm using Windows
Server 2012,
>>>> not sure if the dialogs look any different in earlier versions.
>>> So what you are saying is, to get a UNIX program to work on a UNIX machine
>>> running against a UNIX AD DC, you have to to set it up on a WINDOWS machine
>>> ??? What happens if you do not have a windows machine or if you do, you
>>> don't have ADSI Edit ??
>> No, but this is the first time in this thread you mention you're using
>> Samba and not a real AD.. I know you probably mentioned Samba in some
>> previous threads, but I forgot that, sorry.
> Sorry if I didn't explicitly say I was using a samba AD DC, I didn't think
> it mattered as an AD server is an AD server, whether it a samba AD server or
> a windows AD server.
No problem.
> From what you posted, I have found the problem(after installing XP in a VM,
> installing RSAT etc), Domain computers was only being allowed to read
> 'OU=SUDOers'. it wasn't being allowed to read any of the children.
>
> I now need to work out how to alter the 'nTSecurityDescriptor' attribute of
> OU=SUDOers ( replacing '(A;;RPLCRC;;;DC)' with '(A;CI;RPLCRC;;;DC)' )
using
> only linux tools ;-)
>
> Rowland
This would be a really nice HOWTO!
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Well, changing the ACL's on a folder in AD turned out to be fairly easy,
samba4 has a command for it, little or no documentation on how to use
it, but that's opensource for you ;-)
I found and read this page:
http://www.netid.washington.edu/documentation/domains/sddl.aspx
This explained just how SDDL's are made up and what their constituents
mean, I now just had to work out the syntax for the samba-tool command
and after a few failures, this is what I came up with:
samba-tool dsacl set -H /var/lib/samba/private/sam.ldb
--objectdn="OU=SUDOers,DC=example,DC=com" --sddl="(A;CI;RPLCRC;;;DC)"
The only problem that I found with that approach was, you can only add
ACL's, you cannot replace them.
If a search of 'OU=SUDOers,DC=example,DC=com' shows that the ACL is
already set, but is incorrect, then at the moment, you only have two
options, use windows tools or use ldbedit:
ldbedit -e nano -H /var/lib/samba/private/sam.ldb -b dc=example,dc=com
'(&(objectClass=organizationalUnit)(ou=sudoers))' nTSecurityDescriptor
I actually added the correct SDDL with samba-tool and then deleted the
wrong one with ldbedit.
Rowland