[Samba] Using Samba AD/DC as an Active Directory OAuth provider for OpenShift
Andrew Bartlett
abartlet at samba.org
Fri Aug 21 22:59:06 UTC 2020
On Fri, 2020-08-21 at 17:51 -0400, Vincent S. Cojot via samba wrote:
> Hi Rowland,
>
> First of all, thank you for taking the time to help me.
> I tried your suggestion and all results came up empty.
>
> Then I did a few lapdsearch(es) and found this:
>
> 1) This query returns two users:
> ldapsearch -H ldaps://dc00.ad.lasthome.solace.krynn:636 -x -W -D
> "raistlin at ad.lasthome.solace.krynn" -b
> "dc=ad,dc=lasthome,dc=solace,dc=krynn"
> 'memberOf:1.2.840.113556.1.4.1941:=cn=Domain
> Admins,CN=Users,dc=ad,dc=lasthome,dc=solace,dc=krynn'
>
> 2) This query returns no users ("Domain Users" instead of "Domain
> Admins"):
> ldapsearch -H ldaps://dc00.ad.lasthome.solace.krynn:636 -x -W -D
> "raistlin at ad.lasthome.solace.krynn" -b
> "dc=ad,dc=lasthome,dc=solace,dc=krynn"
> 'memberOf:1.2.840.113556.1.4.1941:=cn=Domain
> Users,CN=Users,dc=ad,dc=lasthome,dc=solace,dc=krynn'
>
> -but- the list of users is correctly reported if I run this on a DC:
> root at dc01 ~]# samba-tool group listmembers 'Domain Users'
> [....]
> raistlin
> [...]
> krbtgt
> dns-dc00
> dns-dc01
>
> Am I doing something wrong?
The system that you ary trying to use for OpenShift does not know about
primary group memberships, as these are not recorded as DN links.
Inside that samba-tool group listmembers command we work around that by
using this filter:
search_filter = ("(|(primaryGroupID=%s)(memberOf=%s))" %
(rid, group_sid_dn))
You may need to contribute logic upstream to OpenShift to learn about
how groups work in AD, or (if secure) forgo primary group memberships.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list