Hi,I got weird problem with ldap & samba &sssd。
pdbedit -L showed all users having the same uid (4294967295)
ACL :
[root@rhel6 slapd.d]# grep -ir "olcAccess" . ./cn=config/olcDatabase={2}monitor.ldif:olcAccess: {0}to * by dn.base="cn=manager,dc=my-domain,dc=com" read by * none ./cn=config/olcDatabase={0}config.ldif:olcAccess: {0}to * by * none ./cn=config/olcDatabase={1}bdb.ldif:olcAccess: to * by * read by self write
More specification below:
--------------------------------------------------------------------------------------------------------------------------------------------------------
[root@rhel6 cn=config]# pdbedit -L testsmb:4294967295:testsmb *<sometimes, the user testsmb has correct uid 503, I don't know why> *test2:4294967295:test2 test3:4294967295:test3
[root@rhel6 ~]# getent -s sss passwd example:*:9999:9999::/home/example:/bin/sh
*<sometimes,we can get user testsmb here>*
[root@rhel6 cn=config]# ldapsearch -x -D "cn=root,dc=rhel6,dc=ldaptest,dc=com" -W
........
# testsmb, rhel6.ldaptest.com dn: uid=testsmb,dc=rhel6,dc=ldaptest,dc=com cn: testsmb uid: testsmb uidNumber: 503 loginShell: /bin/bash homeDirectory: /home/testsmb gidNumber: 500 userPassword:: e2NyeXB0fUFPblQvYkJsbEJTWFk= objectClass: posixAccount objectClass: shadowAccount objectClass: person objectClass: sambaSamAccount sambaPwdLastSet: 1308553125 sambaPwdCanChange: 1308553125 sambaNTPassword: 1D82374AB98BB16761B9A4F90441E201 sambaLMPassword: 67E272A0267766A117306D272A9441BB sambaPrimaryGroupSID: 2001 sambaAcctFlags: [U ] shadowLastChange: 15145 gecos: testsmb sn: testsmb sambaSID: S-1-5-21-423381952-115127825-699677302-1004
# test2, rhel6.ldaptest.com Dn: uid=test2,dc=rhel6,dc=ldaptest,dc=com cn: test2 uid: test2 uidNumber: 504 loginShell: /bin/bash homeDirectory: /home/test2 gidNumber: 500 userPassword:: e2NyeXB0fVhSbXVGQUd2cHMublE= objectClass: posixAccount objectClass: shadowAccount objectClass: person objectClass: sambaSamAccount sambaPwdLastSet: 1308557836 sambaPwdCanChange: 1308557836 sambaNTPassword: 1D82374AB98BB16761B9A4F90441E201 sambaLMPassword: 67E272A0267766A117306D272A9441BB sambaPrimaryGroupSID: 2001 sambaAcctFlags: [U ] shadowLastChange: 15145 gecos: test2 sn: test2 sambaSID: S-1-5-21-423381952-115127825-699677302-1005
# example, rhel6.ldaptest.com dn: uid=example,dc=rhel6,dc=ldaptest,dc=com cn: Example user sn: Example user uid: example uidNumber: 9999 gidNumber: 9999 loginShell: /bin/sh homeDirectory: /home/example objectClass: posixAccount objectClass: person userPassword:: KkxLKg==
smb.conf security = user passdb backend = ldapsam:ldap://rhel6.ldaptest.com ldap admin dn = "cn=root,dc=rhel6,dc=ldaptest,dc=com" ldap suffix = dc=rhel6,dc=ldaptest,dc=com ldap group suffix = ou=Groups ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap ldap ssl = start tls ldap passwd sync = yes
Debug info show below
slapd debug acl
------------------------------------------------------------------------------------------------------------------------------------
[root@rhel6 ~]# service slapd start Starting slapd: @(#) $OpenLDAP: slapd 2.4.19 (Jun 30 2010 03:56:07) $
mockbuild@x86-003.build.bos.redhat.com:/builddir/build/BUILD/openldap-2.4.19/openldap-2.4.19/build-servers/servers/slapd => access_allowed: search access to "cn=config" "objectClass" requested <= root access granted => access_allowed: search access granted by manage(=mwrscxd) => access_allowed: search access to "cn=schema,cn=config" "objectClass" requested <= root access granted => access_allowed: search access granted by manage(=mwrscxd) => access_allowed: search access to "cn={0}corba,cn=schema,cn=config" "objectClass" requested <= root access granted => access_allowed: search access granted by manage(=mwrscxd) => access_allowed: search access to "cn={1}core,cn=schema,cn=config" "objectClass" requested <= root access granted => access_allowed: search access granted by manage(=mwrscxd) => access_allowed: search access to "cn={2}cosine,cn=schema,cn=config" "objectClass" requested <= root access granted => access_allowed: search access granted by manage(=mwrscxd) => access_allowed: search access to "cn={3}duaconf,cn=schema,cn=config" "objectClass" requested <= root access granted => access_allowed: search access granted by manage(=mwrscxd) => access_allowed: search access to "cn={4}dyngroup,cn=schema,cn=config" "objectClass" requested <= root access granted => access_allowed: search access granted by manage(=mwrscxd) => access_allowed: search access to "cn={5}inetorgperson,cn=schema,cn=config" "objectClass" requested <= root access granted => access_allowed: search access granted by manage(=mwrscxd) => access_allowed: search access to "cn={6}java,cn=schema,cn=config" "objectClass" requested <= root access granted => access_allowed: search access granted by manage(=mwrscxd) => access_allowed: search access to "cn={7}misc,cn=schema,cn=config" "objectClass" requested <= root access granted => access_allowed: search access granted by manage(=mwrscxd) => access_allowed: search access to "cn={8}nis,cn=schema,cn=config" "objectClass" requested <= root access granted => access_allowed: search access granted by manage(=mwrscxd) => access_allowed: search access to "cn={9}openldap,cn=schema,cn=config" "objectClass" requested <= root access granted => access_allowed: search access granted by manage(=mwrscxd) => access_allowed: search access to "cn={10}ppolicy,cn=schema,cn=config" "objectClass" requested <= root access granted => access_allowed: search access granted by manage(=mwrscxd) => access_allowed: search access to "cn={11}collective,cn=schema,cn=config" "objectClass" requested <= root access granted => access_allowed: search access granted by manage(=mwrscxd) => access_allowed: search access to "cn={12}samba,cn=schema,cn=config" "objectClass" requested <= root access granted => access_allowed: search access granted by manage(=mwrscxd) => access_allowed: search access to "olcDatabase={-1}frontend,cn=config" "objectClass" requested <= root access granted => access_allowed: search access granted by manage(=mwrscxd) => access_allowed: search access to "olcDatabase={0}config,cn=config" "objectClass" requested <= root access granted => access_allowed: search access granted by manage(=mwrscxd) Backend ACL: access to * by * none
/etc/openldap/slapd.d: line 1: warning: cannot assess the validity of the ACL scope within backend naming context => access_allowed: search access to "olcDatabase={1}bdb,cn=config" "objectClass" requested <= root access granted => access_allowed: search access granted by manage(=mwrscxd) Backend ACL: access to * by * read by self write
/etc/openldap/slapd.d: line 1: warning: cannot assess the validity of the ACL scope within backend naming context => access_allowed: search access to "olcDatabase={2}monitor,cn=config" "objectClass" requested <= root access granted => access_allowed: search access granted by manage(=mwrscxd) Backend ACL: access to * by dn.base="cn=manager,dc=my-domain,dc=com" read by * none
/etc/openldap/slapd.d: line 1: warning: cannot assess the validity of the ACL scope within backend naming context slapd starting
* *
*debug info for " su - test2"* sssd debug info -------------------------------------------------------------------------------------------------------------------------------------------------------------
(Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [sdap_parse_entry] (9): OriginalDN: [uid=test2,dc=rhel6,dc=ldaptest,dc=com]. (Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [sdap_process_result] (8): Trace: sh[0x9e08488], connected[1], ops[0x9ea1b10], ldap[0x9e08540] (Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [sdap_get_users_process] (6): Search for users, returned 1 results. (Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [sdap_process_result] (8): Trace: sh[0x9e08488], connected[1], ops[(nil)], ldap[0x9e08540] (Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [sdap_process_result] (8): Trace: ldap_result found nothing! (Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [ldb] (9): start ldb transaction (nesting: 0) (Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [sdap_save_user_send] (9): Save user (Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [sdap_save_user_send] (2): User [test2] filtered out! (id out of range) (Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [sdap_save_users_process] (2): Failed to store user 0. Ignoring. (Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [ldb] (9): commit ldb transaction (nesting: 0) (Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [sdap_get_users_done] (9): Saving 1 Users - Done (Tue Jun 21 11:02:48 2011) [sssd[nss]] [sbus_remove_timeout] (8): 0x9dcde28 (Tue Jun 21 11:02:48 2011) [sssd[nss]] [sbus_dispatch] (9): dbus conn: 9DCDF38 (Tue Jun 21 11:02:48 2011) [sssd[nss]] [sbus_dispatch] (9): Dispatching. (Tue Jun 21 11:02:48 2011) [sssd[nss]] [sss_dp_get_reply] (4): Got reply (0, 0, Success) from Data Provider (Tue Jun 21 11:02:48 2011) [sssd[nss]] [nss_cmd_getpwnam_callback] (2): No matching domain found for [test2], fail! (Tue Jun 21 11:02:48 2011) [sssd[nss]] [nss_cmd_getpwnam_callback] (2): No results for getpwnam call (Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [acctinfo_callback] (4): Request processed. Returned 0,0,Success
slapd debug info -----------------------------------------------------------------------------------------------------------------------------------------------------------------
=> acl_mask: access to entry "dc=rhel6,dc=ldaptest,dc=com", attr "entry" requested => acl_mask: to all values by "", (=0) <= check a_dn_pat: * <= acl_mask: [1] applying read(=rscxd) (stop) <= acl_mask: [1] mask: read(=rscxd) => slap_access_allowed: search access granted by read(=rscxd) => access_allowed: search access granted by read(=rscxd) => access_allowed: search access to "dc=rhel6,dc=ldaptest,dc=com" "entry" requested => acl_get: [1] attr entry => acl_mask: access to entry "dc=rhel6,dc=ldaptest,dc=com", attr "entry" requested => acl_mask: to all values by "", (=0) <= check a_dn_pat: * <= acl_mask: [1] applying read(=rscxd) (stop) <= acl_mask: [1] mask: read(=rscxd) => slap_access_allowed: search access granted by read(=rscxd) => access_allowed: search access granted by read(=rscxd) => access_allowed: search access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com" "uid" requested => acl_get: [1] attr uid => acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr "uid" requested => acl_mask: to value by "", (=0) <= check a_dn_pat: * <= acl_mask: [1] applying read(=rscxd) (stop) <= acl_mask: [1] mask: read(=rscxd) => slap_access_allowed: search access granted by read(=rscxd) => access_allowed: search access granted by read(=rscxd) => access_allowed: search access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com" "objectClass" requested => acl_get: [1] attr objectClass => acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr "objectClass" requested => acl_mask: to value by "", (=0) <= check a_dn_pat: * <= acl_mask: [1] applying read(=rscxd) (stop) <= acl_mask: [1] mask: read(=rscxd) => slap_access_allowed: search access granted by read(=rscxd) => access_allowed: search access granted by read(=rscxd) => access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com" "entry" requested => acl_get: [1] attr entry => acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr "entry" requested => acl_mask: to all values by "", (=0) <= check a_dn_pat: * <= acl_mask: [1] applying read(=rscxd) (stop) <= acl_mask: [1] mask: read(=rscxd) => slap_access_allowed: read access granted by read(=rscxd) => access_allowed: read access granted by read(=rscxd) => access_allowed: result not in cache (cn) => access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com" "cn" requested => acl_get: [1] attr cn => acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr "cn" requested => acl_mask: to value by "", (=0) <= check a_dn_pat: * <= acl_mask: [1] applying read(=rscxd) (stop) <= acl_mask: [1] mask: read(=rscxd) => slap_access_allowed: read access granted by read(=rscxd) => access_allowed: read access granted by read(=rscxd) => access_allowed: result not in cache (uid) => access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com" "uid" requested => acl_get: [1] attr uid => acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr "uid" requested => acl_mask: to value by "", (=0) <= check a_dn_pat: * <= acl_mask: [1] applying read(=rscxd) (stop) <= acl_mask: [1] mask: read(=rscxd) => slap_access_allowed: read access granted by read(=rscxd) => access_allowed: read access granted by read(=rscxd) => access_allowed: result not in cache (uidNumber) => access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com" "uidNumber" requested => acl_get: [1] attr uidNumber => acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr "uidNumber" requested => acl_mask: to value by "", (=0) <= check a_dn_pat: * <= acl_mask: [1] applying read(=rscxd) (stop) <= acl_mask: [1] mask: read(=rscxd) => slap_access_allowed: read access granted by read(=rscxd) => access_allowed: read access granted by read(=rscxd) => access_allowed: result not in cache (loginShell) => access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com" "loginShell" requested => acl_get: [1] attr loginShell => acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr "loginShell" requested => acl_mask: to value by "", (=0) <= check a_dn_pat: * <= acl_mask: [1] applying read(=rscxd) (stop) <= acl_mask: [1] mask: read(=rscxd) => slap_access_allowed: read access granted by read(=rscxd) => access_allowed: read access granted by read(=rscxd) => access_allowed: result not in cache (homeDirectory) => access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com" "homeDirectory" requested => acl_get: [1] attr homeDirectory => acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr "homeDirectory" requested => acl_mask: to value by "", (=0) <= check a_dn_pat: * <= acl_mask: [1] applying read(=rscxd) (stop) <= acl_mask: [1] mask: read(=rscxd) => slap_access_allowed: read access granted by read(=rscxd) => access_allowed: read access granted by read(=rscxd) => access_allowed: result not in cache (gidNumber) => access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com" "gidNumber" requested => acl_get: [1] attr gidNumber => acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr "gidNumber" requested => acl_mask: to value by "", (=0) <= check a_dn_pat: * <= acl_mask: [1] applying read(=rscxd) (stop) <= acl_mask: [1] mask: read(=rscxd) => slap_access_allowed: read access granted by read(=rscxd) => access_allowed: read access granted by read(=rscxd) => access_allowed: result not in cache (userPassword) => access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com" "userPassword" requested => acl_get: [1] attr userPassword => acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr "userPassword" requested => acl_mask: to value by "", (=0) <= check a_dn_pat: * <= acl_mask: [1] applying read(=rscxd) (stop) <= acl_mask: [1] mask: read(=rscxd) => slap_access_allowed: read access granted by read(=rscxd) => access_allowed: read access granted by read(=rscxd) => access_allowed: result not in cache (objectClass) => access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com" "objectClass" requested => acl_get: [1] attr objectClass => acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr "objectClass" requested => acl_mask: to value by "", (=0) <= check a_dn_pat: * <= acl_mask: [1] applying read(=rscxd) (stop) <= acl_mask: [1] mask: read(=rscxd) => slap_access_allowed: read access granted by read(=rscxd) => access_allowed: read access granted by read(=rscxd) => access_allowed: result was in cache (objectClass) => access_allowed: result was in cache (objectClass) => access_allowed: result was in cache (objectClass) => access_allowed: result not in cache (shadowLastChange) => access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com" "shadowLastChange" requested => acl_get: [1] attr shadowLastChange => acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr "shadowLastChange" requested => acl_mask: to value by "", (=0) <= check a_dn_pat: * <= acl_mask: [1] applying read(=rscxd) (stop) <= acl_mask: [1] mask: read(=rscxd) => slap_access_allowed: read access granted by read(=rscxd) => access_allowed: read access granted by read(=rscxd) => access_allowed: result not in cache (gecos) => access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com" "gecos" requested => acl_get: [1] attr gecos => acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr "gecos" requested => acl_mask: to value by "", (=0) <= check a_dn_pat: * <= acl_mask: [1] applying read(=rscxd) (stop) <= acl_mask: [1] mask: read(=rscxd) => slap_access_allowed: read access granted by read(=rscxd) => access_allowed: read access granted by read(=rscxd) => access_allowed: result not in cache (modifyTimestamp) => access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com" "modifyTimestamp" requested => acl_get: [1] attr modifyTimestamp => acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr "modifyTimestamp" requested => acl_mask: to value by "", (=0) <= check a_dn_pat: * <= acl_mask: [1] applying read(=rscxd) (stop) <= acl_mask: [1] mask: read(=rscxd) => slap_access_allowed: read access granted by read(=rscxd) => access_allowed: read access granted by read(=rscxd)
openldap-technical@openldap.org
-
niko