samba4: winbind/idmap_ad can't retrieve the uidNumber and gidNumber attributes using ldap query

Andrew Bartlett abartlet at samba.org
Fri Jan 25 15:48:04 MST 2013 

On Fri, 2013-01-25 at 17:42 -0500, David Mansfield wrote:
> 
> On 01/25/2013 05:20 PM, Andrew Bartlett wrote:
> > On Fri, 2013-01-25 at 16:17 -0500, David Mansfield wrote:
> >> Hi All:
> >>
> >> I have a samba 4.0.1 installation that I've put into production for a
> >> small handful of windows clients, running on centos 6 (x86_64).  So far
> >> so good.  I followed the howto pretty much and did a classicupgrade.
> >>
> >> However, I'm having an issue with winbind (on a fedora 18 samba4
> >> winbindd, fedora 17 samba3 winbindd and centos 6 samba3 winbindd) using
> >> idmap_ad.  This was all working in my test platform so I must be missing
> >> something.
> >>
> >> I've debugged it to the part where an ldap query is made using the SID
> >> (and a bunch of object type), requesting uidNumber and gidNumber
> >> attributes.
> >>
> >> I've run the same query using ldbsearch on the server and it DOES show
> >> the attributes.
> >>
> >> The reply to the winbind query, however, doesn't contain the attributes,
> >> but does contain sAMAccountType and objectSid.  I modified idmap_ad.c to
> >> also request the "name" attribute (added it to the attrs[] array), and
> >> I'm dumping the ldap response object - it does contain "name" but not
> >> uidNumber and gidNumber.
> >>
> >> The source code is (in samba 3.6.9) in idmap_ad.c in the function
> >> idmap_ad_sids_to_unixids around line 511.
> >>
> >> Can anyone shed some light ?
> > This will be fixed in the next normal release of Samba 4.0, due in just
> > over a week.  In the meantime, you can either run GIT master or set
> > 'acl:read=false' in your smb.conf, to disable this particular feature.
> >
> > We always prevent access to passwords and attributes marked
> > confidential, but this feature (which will work properly in the next
> > release allows administrators a more fine-grained access control over
> > reads).
> >
> I just tried it (acl:read=false in smb.conf) and it seems to not fix 
> anything.  Additionally, btw, I connected to the s4 instance using an 
> LDAP browser (Apache Directory Studio) and it shows the attributes just 
> fine.  The "wire" data seems to be encrypted or else I'd wireshark it.  
> Can I turn off encryption between winbind and the s4 instance somehow?

You can decrypt it if you supply wireshark the server keytab

> BTW did something change between 4.0.0rc5 and 4.0.1?  I had 4.0.0rc5 in 
> my test env. and everything was working fine, as far as I can tell.

Sorry, it's acl:search=false.  Yes, we turned this on very late in the
RC series (just before 4.0.0).

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list