Samba4: idmap replication between 2 DC's

Andrew Bartlett abartlet at samba.org
Thu Jul 19 06:59:35 MDT 2012 

On Thu, 2012-07-19 at 15:55 +0400, Sergey Urushkin wrote:
> 13.07.2012 11:49, Andrew Bartlett пишет:
> > On Fri, 2012-07-13 at 09:03 +0200, steve wrote:
> >
> >> Summary,
> >> idmap_ldb:use rfc2307 = yes
> >> uidNumber in AD works
> >> gidNumber in AD does not work
> >>
> >> Can you help me sort the gidNumber?
> > This would be significantly less frustrating for all of us if you would
> > attempt debugging the source yourself.  
> >
> > I'm sure this isn't a difficult bug to solve, so why not give it a go. 
> >
> > Some starting hints:
> >  - git grep gidNumber
> >  - increase debug level to cover any existing, relelvent debug
> > statements
> >  - Add debug statements to cover the full flow control of any apparently
> > relevant functions:
> >    DEBUG(0, ("debug message"));
> >  - start samba under gdb using :
> >    gdb --args samba -i -M single
> >  - use samba_start_debugger() to launch gdb under particular conditions
> >
> > I know you have said this is beyond you, but I do believe this is a
> > skill you can learn.
> >
> > Andrew Bartlett
> >
> Hi!
> This problem affects me too. After some investigation I found where the
> problem is, here is the patch that fixes it:
> 
> --- a/source4/winbind/idmap.c    2012-06-21 12:54:38.000000000 +0400
> +++ b/source4/winbind/idmap.c    2012-07-19 15:41:31.039544144 +0400
> @@ -458,7 +458,7 @@
>          goto failed;
>      } else if (ret == LDB_SUCCESS) {
>          uint32_t account_type = ldb_msg_find_attr_as_uint(sam_msg,
> "sAMaccountType", 0);
> -        if (account_type & ATYPE_ACCOUNT) {
> +        if (account_type == ATYPE_ACCOUNT) {
>              const struct ldb_val *v = ldb_msg_find_ldb_val(sam_msg,
> "uidNumber");
>              if (v) {
>                  unixid->type = ID_TYPE_UID;

Thanks.  To be totally correct, it would need to cover:


#define ATYPE_NORMAL_ACCOUNT			0x30000000 /* 805306368 */
#define ATYPE_WORKSTATION_TRUST			0x30000001 /* 805306369 */
#define ATYPE_INTERDOMAIN_TRUST			0x30000002 /* 805306370 */

What caught us is that account_type & ATYPE_ACCOUNT matches groups!

#define ATYPE_ACCOUNT		ATYPE_NORMAL_ACCOUNT		/* 0x30000000 805306368 */
#define ATYPE_GLOBAL_GROUP	ATYPE_SECURITY_GLOBAL_GROUP	/* 0x10000000
268435456 */
#define ATYPE_LOCAL_GROUP	ATYPE_SECURITY_LOCAL_GROUP	/* 0x20000000
536870912 */

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list