samba4: winbind/idmap_ad can't retrieve the uidNumber and gidNumber attributes using ldap query

David Mansfield samba at dm.cobite.com
Fri Jan 25 15:51:15 MST 2013



On 01/25/2013 05:48 PM, Andrew Bartlett wrote:
> On Fri, 2013-01-25 at 17:42 -0500, David Mansfield wrote:
>> On 01/25/2013 05:20 PM, Andrew Bartlett wrote:
>>> On Fri, 2013-01-25 at 16:17 -0500, David Mansfield wrote:
>>>> Hi All:
>>>>
>>>> I have a samba 4.0.1 installation that I've put into production for a
>>>> small handful of windows clients, running on centos 6 (x86_64).  So far
>>>> so good.  I followed the howto pretty much and did a classicupgrade.
>>>>
>>>> However, I'm having an issue with winbind (on a fedora 18 samba4
>>>> winbindd, fedora 17 samba3 winbindd and centos 6 samba3 winbindd) using
>>>> idmap_ad.  This was all working in my test platform so I must be missing
>>>> something.
>>>>
>>>> I've debugged it to the part where an ldap query is made using the SID
>>>> (and a bunch of object type), requesting uidNumber and gidNumber
>>>> attributes.
>>>>
>>>> I've run the same query using ldbsearch on the server and it DOES show
>>>> the attributes.
>>>>
>>>> The reply to the winbind query, however, doesn't contain the attributes,
>>>> but does contain sAMAccountType and objectSid.  I modified idmap_ad.c to
>>>> also request the "name" attribute (added it to the attrs[] array), and
>>>> I'm dumping the ldap response object - it does contain "name" but not
>>>> uidNumber and gidNumber.
>>>>
>>>> The source code is (in samba 3.6.9) in idmap_ad.c in the function
>>>> idmap_ad_sids_to_unixids around line 511.
>>>>
>>>> Can anyone shed some light ?
>>> This will be fixed in the next normal release of Samba 4.0, due in just
>>> over a week.  In the meantime, you can either run GIT master or set
>>> 'acl:read=false' in your smb.conf, to disable this particular feature.
>>>
>>> We always prevent access to passwords and attributes marked
>>> confidential, but this feature (which will work properly in the next
>>> release allows administrators a more fine-grained access control over
>>> reads).
>>>
>> I just tried it (acl:read=false in smb.conf) and it seems to not fix
>> anything.  Additionally, btw, I connected to the s4 instance using an
>> LDAP browser (Apache Directory Studio) and it shows the attributes just
>> fine.  The "wire" data seems to be encrypted or else I'd wireshark it.
>> Can I turn off encryption between winbind and the s4 instance somehow?
> You can decrypt it if you supply wireshark the server keytab
>
>> BTW did something change between 4.0.0rc5 and 4.0.1?  I had 4.0.0rc5 in
>> my test env. and everything was working fine, as far as I can tell.
> Sorry, it's acl:search=false.  Yes, we turned this on very late in the
> RC series (just before 4.0.0).
>
Ok.  That did it!  wbinfo -S is working now on one system.  Thanks a 
million.

David



More information about the samba-technical mailing list