[Samba] Samba4: ldapcmp incorrectly reporting some attributes as missing on secondary controller

Andrew Bartlett abartlet at samba.org
Fri Dec 28 14:09:31 MST 2012

On Fri, 2012-12-28 at 12:24 +0100, Dominic Evans wrote:
> On 28 December 2012 05:43, Andrew Bartlett <abartlet at samba.org> wrote:
> >> $ sudo samba-tool ldapcmp ldap://windowsdc.exampledn.com
> >> ldap://samba4dc.exampledn.com domain --base='CN=ExampleFirstName
> >> ExampleSecondName,OU=OU,DC=exampledn,DC=com'
> >> --base2='CN=ExampleFirstName
> >> ExampleSecondName,OU=OU,DC=exampledn,DC=com'
> >
> > What username did you use (administrator or another user) to
> > authenticate in this case?
> > We have an outstanding issue where the read ACL is applied incorrectly
> > for non-administrator users, and I need to understand why that is.
> Ah you are correct. In the ldapcmp case I had authenticated as a
> regular user, but in the ldapsearch I had authenticated as
> administrator. If I modify my ldapcmp command to authenticate as the
> administrator the comparison passes successfully with all attributes
> being found in both DCs. So as you presumed it appears to be a minor
> discrepancy between the attributes that a Windows DC hides from
> non-Administrators, and those that a Samba4 DC hides.

In many ways the issue isn't minor, it is actually quite major.  But is
is helpful to know that there isn't an additional issue.  I'm working on
the ACL issue, and have a lead, so we should have this fixed in the next
few days.

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list