machine accounts being listed when using security = ads

Christian M Ambach CAMBACH1 at de.ibm.com
Mon Apr 10 15:24:15 GMT 2006


Hi all,

I've seen that the machine accounts are shown in the output of getent 
passwd when using security = ads.

Is this intentional? If yes, please ignore the following.

Otherwise the source of the problem is that the machine accounts also have 
an objectClass of user in AD in addition to computer.
So I've written a small patch which refines the LDAP search condition, so 
that no machine accounts will show up when enumeration users.

I would appreciate a review of it. 

--- samba-3.0.20b/source/nsswitch/winbindd_ads.c        2005-10-12 
19:03:28.000000000 +0200
+++ samba-3.0.20b.new/source/nsswitch/winbindd_ads.c    2006-04-07 
16:46:49.381240424 +0200
@@ -142,7 +142,7 @@
                goto done;
        }
 
-       rc = ads_search_retry(ads, &res, "(objectClass=user)", attrs);
+       rc = ads_search_retry(ads, &res, 
"(&(objectclass=user)(!(objectclass=computer)))", attrs);
        if (!ADS_ERR_OK(rc) || !res) {
                DEBUG(1,("query_user_list ads_search: %s\n", 
ads_errstr(rc)));
                goto done;

Mit freundlichen Grüßen / Best regards
          Christian Ambach

IBM Deutschland GmbH
Filesystem Center of Competence
Dept. 0A182
Hechtsheimer Str. 2, Geb. 20, Axis 1D
55131-20 Mainz, Germany
Phone: (49) 6131 84 3192, Fax - 4274
Internet: cambach1 at de.ibm.com


More information about the samba-technical mailing list