Samba4: idmap replication between 2 DC's
Andrew Bartlett
abartlet at samba.org
Thu Jul 19 06:59:35 MDT 2012
On Thu, 2012-07-19 at 15:55 +0400, Sergey Urushkin wrote:
> 13.07.2012 11:49, Andrew Bartlett пишет:
> > On Fri, 2012-07-13 at 09:03 +0200, steve wrote:
> >
> >> Summary,
> >> idmap_ldb:use rfc2307 = yes
> >> uidNumber in AD works
> >> gidNumber in AD does not work
> >>
> >> Can you help me sort the gidNumber?
> > This would be significantly less frustrating for all of us if you would
> > attempt debugging the source yourself.
> >
> > I'm sure this isn't a difficult bug to solve, so why not give it a go.
> >
> > Some starting hints:
> > - git grep gidNumber
> > - increase debug level to cover any existing, relelvent debug
> > statements
> > - Add debug statements to cover the full flow control of any apparently
> > relevant functions:
> > DEBUG(0, ("debug message"));
> > - start samba under gdb using :
> > gdb --args samba -i -M single
> > - use samba_start_debugger() to launch gdb under particular conditions
> >
> > I know you have said this is beyond you, but I do believe this is a
> > skill you can learn.
> >
> > Andrew Bartlett
> >
> Hi!
> This problem affects me too. After some investigation I found where the
> problem is, here is the patch that fixes it:
>
> --- a/source4/winbind/idmap.c 2012-06-21 12:54:38.000000000 +0400
> +++ b/source4/winbind/idmap.c 2012-07-19 15:41:31.039544144 +0400
> @@ -458,7 +458,7 @@
> goto failed;
> } else if (ret == LDB_SUCCESS) {
> uint32_t account_type = ldb_msg_find_attr_as_uint(sam_msg,
> "sAMaccountType", 0);
> - if (account_type & ATYPE_ACCOUNT) {
> + if (account_type == ATYPE_ACCOUNT) {
> const struct ldb_val *v = ldb_msg_find_ldb_val(sam_msg,
> "uidNumber");
> if (v) {
> unixid->type = ID_TYPE_UID;
Thanks. To be totally correct, it would need to cover:
#define ATYPE_NORMAL_ACCOUNT 0x30000000 /* 805306368 */
#define ATYPE_WORKSTATION_TRUST 0x30000001 /* 805306369 */
#define ATYPE_INTERDOMAIN_TRUST 0x30000002 /* 805306370 */
What caught us is that account_type & ATYPE_ACCOUNT matches groups!
#define ATYPE_ACCOUNT ATYPE_NORMAL_ACCOUNT /* 0x30000000 805306368 */
#define ATYPE_GLOBAL_GROUP ATYPE_SECURITY_GLOBAL_GROUP /* 0x10000000
268435456 */
#define ATYPE_LOCAL_GROUP ATYPE_SECURITY_LOCAL_GROUP /* 0x20000000
536870912 */
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list