samba4: winbind/idmap_ad can't retrieve the uidNumber and gidNumber attributes using ldap query
Andrew Bartlett
abartlet at samba.org
Fri Jan 25 15:20:38 MST 2013
On Fri, 2013-01-25 at 16:17 -0500, David Mansfield wrote:
> Hi All:
>
> I have a samba 4.0.1 installation that I've put into production for a
> small handful of windows clients, running on centos 6 (x86_64). So far
> so good. I followed the howto pretty much and did a classicupgrade.
>
> However, I'm having an issue with winbind (on a fedora 18 samba4
> winbindd, fedora 17 samba3 winbindd and centos 6 samba3 winbindd) using
> idmap_ad. This was all working in my test platform so I must be missing
> something.
>
> I've debugged it to the part where an ldap query is made using the SID
> (and a bunch of object type), requesting uidNumber and gidNumber
> attributes.
>
> I've run the same query using ldbsearch on the server and it DOES show
> the attributes.
>
> The reply to the winbind query, however, doesn't contain the attributes,
> but does contain sAMAccountType and objectSid. I modified idmap_ad.c to
> also request the "name" attribute (added it to the attrs[] array), and
> I'm dumping the ldap response object - it does contain "name" but not
> uidNumber and gidNumber.
>
> The source code is (in samba 3.6.9) in idmap_ad.c in the function
> idmap_ad_sids_to_unixids around line 511.
>
> Can anyone shed some light ?
This will be fixed in the next normal release of Samba 4.0, due in just
over a week. In the meantime, you can either run GIT master or set
'acl:read=false' in your smb.conf, to disable this particular feature.
We always prevent access to passwords and attributes marked
confidential, but this feature (which will work properly in the next
release allows administrators a more fine-grained access control over
reads).
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list