samba4: winbind/idmap_ad can't retrieve the uidNumber and gidNumber attributes using ldap query
David Mansfield
samba at dm.cobite.com
Fri Jan 25 15:42:21 MST 2013
On 01/25/2013 05:20 PM, Andrew Bartlett wrote:
> On Fri, 2013-01-25 at 16:17 -0500, David Mansfield wrote:
>> Hi All:
>>
>> I have a samba 4.0.1 installation that I've put into production for a
>> small handful of windows clients, running on centos 6 (x86_64). So far
>> so good. I followed the howto pretty much and did a classicupgrade.
>>
>> However, I'm having an issue with winbind (on a fedora 18 samba4
>> winbindd, fedora 17 samba3 winbindd and centos 6 samba3 winbindd) using
>> idmap_ad. This was all working in my test platform so I must be missing
>> something.
>>
>> I've debugged it to the part where an ldap query is made using the SID
>> (and a bunch of object type), requesting uidNumber and gidNumber
>> attributes.
>>
>> I've run the same query using ldbsearch on the server and it DOES show
>> the attributes.
>>
>> The reply to the winbind query, however, doesn't contain the attributes,
>> but does contain sAMAccountType and objectSid. I modified idmap_ad.c to
>> also request the "name" attribute (added it to the attrs[] array), and
>> I'm dumping the ldap response object - it does contain "name" but not
>> uidNumber and gidNumber.
>>
>> The source code is (in samba 3.6.9) in idmap_ad.c in the function
>> idmap_ad_sids_to_unixids around line 511.
>>
>> Can anyone shed some light ?
> This will be fixed in the next normal release of Samba 4.0, due in just
> over a week. In the meantime, you can either run GIT master or set
> 'acl:read=false' in your smb.conf, to disable this particular feature.
>
> We always prevent access to passwords and attributes marked
> confidential, but this feature (which will work properly in the next
> release allows administrators a more fine-grained access control over
> reads).
>
I just tried it (acl:read=false in smb.conf) and it seems to not fix
anything. Additionally, btw, I connected to the s4 instance using an
LDAP browser (Apache Directory Studio) and it shows the attributes just
fine. The "wire" data seems to be encrypted or else I'd wireshark it.
Can I turn off encryption between winbind and the s4 instance somehow?
BTW did something change between 4.0.0rc5 and 4.0.1? I had 4.0.0rc5 in
my test env. and everything was working fine, as far as I can tell.
More information about the samba-technical
mailing list