samba4: winbind/idmap_ad can't retrieve the uidNumber and gidNumber attributes using ldap query

Andrew Bartlett abartlet at samba.org
Fri Jan 25 15:20:38 MST 2013


On Fri, 2013-01-25 at 16:17 -0500, David Mansfield wrote:
> Hi All:
> 
> I have a samba 4.0.1 installation that I've put into production for a 
> small handful of windows clients, running on centos 6 (x86_64).  So far 
> so good.  I followed the howto pretty much and did a classicupgrade.
> 
> However, I'm having an issue with winbind (on a fedora 18 samba4 
> winbindd, fedora 17 samba3 winbindd and centos 6 samba3 winbindd) using 
> idmap_ad.  This was all working in my test platform so I must be missing 
> something.
> 
> I've debugged it to the part where an ldap query is made using the SID 
> (and a bunch of object type), requesting uidNumber and gidNumber 
> attributes.
> 
> I've run the same query using ldbsearch on the server and it DOES show 
> the attributes.
> 
> The reply to the winbind query, however, doesn't contain the attributes, 
> but does contain sAMAccountType and objectSid.  I modified idmap_ad.c to 
> also request the "name" attribute (added it to the attrs[] array), and 
> I'm dumping the ldap response object - it does contain "name" but not 
> uidNumber and gidNumber.
> 
> The source code is (in samba 3.6.9) in idmap_ad.c in the function 
> idmap_ad_sids_to_unixids around line 511.
> 
> Can anyone shed some light ?

This will be fixed in the next normal release of Samba 4.0, due in just
over a week.  In the meantime, you can either run GIT master or set
'acl:read=false' in your smb.conf, to disable this particular feature.  

We always prevent access to passwords and attributes marked
confidential, but this feature (which will work properly in the next
release allows administrators a more fine-grained access control over
reads). 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org




More information about the samba-technical mailing list