[Samba] Samba4: ldapcmp incorrectly reporting some attributes as missing on secondary controller
Dominic Evans
oldmanuk at gmail.com
Fri Dec 28 04:24:28 MST 2012
On 28 December 2012 05:43, Andrew Bartlett <abartlet at samba.org> wrote:
>> $ sudo samba-tool ldapcmp ldap://windowsdc.exampledn.com
>> ldap://samba4dc.exampledn.com domain --base='CN=ExampleFirstName
>> ExampleSecondName,OU=OU,DC=exampledn,DC=com'
>> --base2='CN=ExampleFirstName
>> ExampleSecondName,OU=OU,DC=exampledn,DC=com'
>
> What username did you use (administrator or another user) to
> authenticate in this case?
> We have an outstanding issue where the read ACL is applied incorrectly
> for non-administrator users, and I need to understand why that is.
Ah you are correct. In the ldapcmp case I had authenticated as a
regular user, but in the ldapsearch I had authenticated as
administrator. If I modify my ldapcmp command to authenticate as the
administrator the comparison passes successfully with all attributes
being found in both DCs. So as you presumed it appears to be a minor
discrepancy between the attributes that a Windows DC hides from
non-Administrators, and those that a Samba4 DC hides.
More information about the samba
mailing list