Samba4-group policy stuff
Huang, Peter (GT/PGS-Palo Alto)
peter.huang at hp.com
Fri Feb 8 22:34:02 GMT 2008
Andrew,
thanks for your prompt reply. Below are the log entries showing missing attributes.
-peter
================================================================================
gensec_gssapi: NO delegated credentials supplied by client
ldb: naming_fsmo_init: we are master: yes
ldb: pdc_fsmo_init: we are master: yes
SearchRequest basedn: CN=IP Security,CN=System,DC=pcstest,DC=adsdev,DC=hp,DC=com filter: (objectclass=ipsecPolicy)
SearchRequest: basedn: [CN=IP Security,CN=System,DC=pcstest,DC=adsdev,DC=hp,DC=com]
SearchRequest: filter: [(objectclass=ipsecPolicy)]
SearchRequest: scope: [ONE]
SearchRequest: attrs: [ipsecID]
SearchRequest: attrs: [description]
SearchRequest: attrs: [ipsecDataType]
SearchRequest: attrs: [ipsecISAKMPReference]
SearchRequest: attrs: [ipsecData]
SearchRequest: attrs: [ipsecNFAReference]
SearchRequest: attrs: [ipsecName]
SearchRequest: attrs: [distinguishedName]
SearchRequest: attrs: [whenChanged]
ldb_request ONE dn=CN=IP Security,CN=System,DC=pcstest,DC=adsdev,DC=hp,DC=com filter=(objectclass=ipsecPolicy)
SearchRequest: error
-------------
====AD attributes for ipsec========
ipsecData Octet String Ipsec-Data
ipsecDataType Integer Ipsec-Data-Type
ipsecFilterReference Distinguished Name Ipsec-Filter-Reference
ipsecID Unicode String Ipsec-ID
ipsecISAKMPReference Distinguished Name Ipsec-ISAKMP-Reference
ipsecName Unicode String Ipsec-Name
iPSECNegotiationPolicyAction Unicode String IPSEC-Negotiation-Policy-Action
ipsecNegotiationPolicyReference Distinguished Name Ipsec-Negotiation-Policy-Reference
iPSECNegotiationPolicyType Unicode String IPSEC-Negotiation-Policy-Type
ipsecNFAReference Distinguished Name Ipsec-NFA-Reference
ipsecOwnersReference Distinguished Name Ipsec-Owners-Reference
ipsecPolicyReference Distinguished Name Ipsec-Policy-Reference
====AD class for ipsec================
ipsecBase Abstract Ipsec-Base
ipsecFilter Structural Ipsec-Filter
ipsecISAKMPPolicy Structural Ipsec-ISAKMP-Policy
ipsecNegotiationPolicy Structural Ipsec-Negotiation-Policy
ipsecNFA Structural Ipsec-NFA
ipsecPolicy Structural Ipsec-Policy
-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Friday, February 08, 2008 13:57
To: Huang, Peter (GT/PGS-Palo Alto)
Subject: RE: Samba4-group policy stuff
On Fri, 2008-02-08 at 18:09 +0000, Huang, Peter (GT/PGS-Palo Alto)
wrote:
> Kerberos: TGS-REQ Administrator at PCSTEST.ADSDEV.HP.COM from
> 16.94.37.249 for
> host/pal20c85.pcstest.adsdev.hp.com at PCSTEST.ADSDEV.HP.COM
> [canonicalize, renewable, forwardable]
> Kerberos: TGS-REQ authtime: 2008-02-08T09:56:39 starttime:
> 2008-02-08T09:56:39 endtime: 2037-09-12T19:48:05 renew till: unset
> single_terminate: reason[NT_STATUS_END_OF_FILE] Received cldap packet
> of length 171 from 16.94.37.249:1177 cldap netlogon query
> domain=pcstest.adsdev.hp.com host=PAL20C85 user=(null)
> version=536870918 guid=bd15b0ce-8e8f-4b39-8739-6ea0d16e43e7
> ldb: naming_fsmo_init: we are master: yes
> ldb: pdc_fsmo_init: we are master: yes ldb_request BASE dn=
> filter=(objectclass=*)
> Kerberos: TGS-REQ Administrator at PCSTEST.ADSDEV.HP.COM from
> 16.94.37.249 for ldap/labpc32b20a.pcstest.adsdev.hp.com/pcstest.adsdev.hp.com at PCSTEST.ADSDEV.HP.COM [renewable, forwardable] Here is the log file and wireshark capture. Let me know if you want me to do more.
The capture is encrypted - I need the krb5.keytab from the private directory to decrypt it. If it is not particularly sensitive, posting both and this report in bugzilla might help me keep track of things (I'll be away for a week).
Also, see if you can turn up the debug level until you see the message that the objectclass module (almost certainly) sets complaining about the unknown attribute.
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
More information about the samba-technical
mailing list