[Samba] smbldap-showuser and ldapsearch can't show groups user belongs to.
Rowland penny
rpenny at samba.org
Fri Sep 6 20:11:23 UTC 2019
On 06/09/2019 20:14, Mauricio Tavares via samba wrote:
> Quick-n-easy questions:
>
> Let's say user raub is added to group nosy using smbldap-groupmod
>
> smbldap-groupmod -m raub nosy
>
> Now, according to ol' ldapsearch,
>
>
> ldapsearch -vvv -H "ldaps://ldap.example.com" -D
> "uid=admin,ou=People,dc=example,dc=com" -W -b "dc=example,dc=com" -s
> sub "(cn-nosy)"
>
> group nosy has a dn attribute that looks like this
>
> dn: cn=nosy,ou=PosixGroups,dc=example,dc=com
>
> ldapsearch even lists the memberUid for each member in said group. So
> far so good. However, when I ask ldapsearch to tell me about raub,
>
> ldapsearch -vvv -H "ldaps://ldap.example.com" -D
> "uid=admin,ou=People,dc=example,dc=com" -W -b "dc=example,dc=com" -s
> sub "(uid=raub)"
>
> It will give me lots of exciting info about said user but not a single
> memberOf attribute. The same goes for smbldap-showuser. Is there
> anything I might have misconfigured here? Incidentally, if I do "id
> raub", I get the list of non local groups said user belongs to,
> including nosy.
>
Yes, you mis-configured your domain as an old NT4-style domain, why ?
NT4-style domains are on the way out, Microsoft keeps breaking them by
mistake (and then fixing them), They depend on insecure protocols which
everybody is trying to get rid off. smbldap-tools is no longer being
maintained and doesn't seem to have a website.
Can I suggest that you consider upgrading to a Samba AD domain.
Rowland
More information about the samba
mailing list