machine accounts being listed when using security = ads
Christian M Ambach
CAMBACH1 at de.ibm.com
Mon Apr 10 15:24:15 GMT 2006
Hi all,
I've seen that the machine accounts are shown in the output of getent
passwd when using security = ads.
Is this intentional? If yes, please ignore the following.
Otherwise the source of the problem is that the machine accounts also have
an objectClass of user in AD in addition to computer.
So I've written a small patch which refines the LDAP search condition, so
that no machine accounts will show up when enumeration users.
I would appreciate a review of it.
--- samba-3.0.20b/source/nsswitch/winbindd_ads.c 2005-10-12
19:03:28.000000000 +0200
+++ samba-3.0.20b.new/source/nsswitch/winbindd_ads.c 2006-04-07
16:46:49.381240424 +0200
@@ -142,7 +142,7 @@
goto done;
}
- rc = ads_search_retry(ads, &res, "(objectClass=user)", attrs);
+ rc = ads_search_retry(ads, &res,
"(&(objectclass=user)(!(objectclass=computer)))", attrs);
if (!ADS_ERR_OK(rc) || !res) {
DEBUG(1,("query_user_list ads_search: %s\n",
ads_errstr(rc)));
goto done;
Mit freundlichen Grüßen / Best regards
Christian Ambach
IBM Deutschland GmbH
Filesystem Center of Competence
Dept. 0A182
Hechtsheimer Str. 2, Geb. 20, Axis 1D
55131-20 Mainz, Germany
Phone: (49) 6131 84 3192, Fax - 4274
Internet: cambach1 at de.ibm.com
More information about the samba-technical
mailing list