[Samba] Samba 3.0.21 and after creates ldapsam:trusted display problems in User Manager?

MJuettne at austinisd.org MJuettne at austinisd.org
Wed Oct 4 15:47:05 GMT 2006 

I recently upgraded a 3.0.14a installation (using an OpenLDAP backend) to 
3.0.23c and noticed that when using the Windows User Manager group members 
are no longer listed when viewing a group--when 'ldapsam:trusted = yes' is 
set.  I've since compiled and tested various versions using default 
options and the last time I see this member listing working was in 
3.0.20b--3.0.21 and later appear to exhibit the problem.  It looks to me 
like an LDAP query is being filtered with a sambaAccount objectClass 
instead of sambaSamAccount.  Here is a level 10 log snippet from 3.0.23c 
when it wasn't working:

[2006/10/04 10:27:02, 5] lib/smbldap.c:smbldap_search_ext(1179)
  smbldap_search_ext: base => [ou=Users,dc=isas,dc=austinisd.org], filter 
=> [(&(objectClass=sambaAccount)(|(uid=3014a_1)))], scope => [2]
[2006/10/04 10:27:02, 10] 
passdb/pdb_ldap.c:ldapsam_enum_group_members(2432)
  ldapsam_enum_group_members: found 0 accounts

And here is a level 10 log snippet from 3.0.20b when it was working:

[2006/10/04 10:00:52, 5] lib/smbldap.c:smbldap_search_ext(980)
  smbldap_search_ext: base => [ou=Users,dc=isas,dc=austinisd.org], filter 
=> [(&(objectClass=sambaSamAccount)(|(uid=3014a_1)))], scope => [2]
[2006/10/04 10:00:52, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 513) - sec_ctx_stack_ndx = 0

Using a version of Samba lower than 3.0.21 (and 3.014a and above) with 
'ldapsam:trusted = yes' and the group member listing works.  Commenting 
out the 'ldapsam:trusted = yes' line in 3.0.23c and the group member 
listing works.  All other functionality within User Manager (and Samba in 
general) appears to work:  I can join my workstation to the domain, bring 
up User Manager, add users, delete users, rename users, add groups, delete 
groups, and add users to groups (verified by running IDEALX commands on 
the domain controller).  If a user is already a member of a group then 
User Manager correctly alerts you to that information and rejects your 
attempted re-add.  Everything really appears to be fine, User Manager just 
won't list group members.  No error message is displayed within User 
Manager.

Is there some other configuration change introduced in 3.0.21 that I need 
to worry about setting after I upgrade?  Is that filter being pulled in 
from somewhere else starting with 3.0.21 that I can configure?

Thanks.

Mark

More information about the samba mailing list