Hi,I got weird problem with ldap & samba &sssd。
pdbedit -L showed all users having the same uid (4294967295)
ACL :
[root@rhel6 slapd.d]# grep -ir "olcAccess" .
./cn=config/olcDatabase={2}monitor.ldif:olcAccess: {0}to * by
dn.base="cn=manager,dc=my-domain,dc=com" read by * none
./cn=config/olcDatabase={0}config.ldif:olcAccess: {0}to * by * none
./cn=config/olcDatabase={1}bdb.ldif:olcAccess: to * by * read by self write
More specification below:
--------------------------------------------------------------------------------------------------------------------------------------------------------
[root@rhel6 cn=config]# pdbedit -L
testsmb:4294967295:testsmb *<sometimes, the user testsmb has
correct uid 503, I don't know why>
*test2:4294967295:test2
test3:4294967295:test3
[root@rhel6 ~]# getent -s sss passwd
example:*:9999:9999::/home/example:/bin/sh
*<sometimes,we can get user testsmb here>*
[root@rhel6 cn=config]# ldapsearch -x -D
"cn=root,dc=rhel6,dc=ldaptest,dc=com" -W
........
# testsmb,
rhel6.ldaptest.com
dn: uid=testsmb,dc=rhel6,dc=ldaptest,dc=com
cn: testsmb
uid: testsmb
uidNumber: 503
loginShell: /bin/bash
homeDirectory: /home/testsmb
gidNumber: 500
userPassword:: e2NyeXB0fUFPblQvYkJsbEJTWFk=
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
objectClass: sambaSamAccount
sambaPwdLastSet: 1308553125
sambaPwdCanChange: 1308553125
sambaNTPassword: 1D82374AB98BB16761B9A4F90441E201
sambaLMPassword: 67E272A0267766A117306D272A9441BB
sambaPrimaryGroupSID: 2001
sambaAcctFlags: [U ]
shadowLastChange: 15145
gecos: testsmb
sn: testsmb
sambaSID: S-1-5-21-423381952-115127825-699677302-1004
# test2,
rhel6.ldaptest.com
Dn: uid=test2,dc=rhel6,dc=ldaptest,dc=com
cn: test2
uid: test2
uidNumber: 504
loginShell: /bin/bash
homeDirectory: /home/test2
gidNumber: 500
userPassword:: e2NyeXB0fVhSbXVGQUd2cHMublE=
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
objectClass: sambaSamAccount
sambaPwdLastSet: 1308557836
sambaPwdCanChange: 1308557836
sambaNTPassword: 1D82374AB98BB16761B9A4F90441E201
sambaLMPassword: 67E272A0267766A117306D272A9441BB
sambaPrimaryGroupSID: 2001
sambaAcctFlags: [U ]
shadowLastChange: 15145
gecos: test2
sn: test2
sambaSID: S-1-5-21-423381952-115127825-699677302-1005
# example,
rhel6.ldaptest.com
dn: uid=example,dc=rhel6,dc=ldaptest,dc=com
cn: Example user
sn: Example user
uid: example
uidNumber: 9999
gidNumber: 9999
loginShell: /bin/sh
homeDirectory: /home/example
objectClass: posixAccount
objectClass: person
userPassword:: KkxLKg==
smb.conf
security = user
passdb backend =
ldapsam:ldap://rhel6.ldaptest.com
ldap admin dn = "cn=root,dc=rhel6,dc=ldaptest,dc=com"
ldap suffix = dc=rhel6,dc=ldaptest,dc=com
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
ldap ssl = start tls
ldap passwd sync = yes
Debug info show below
slapd debug acl
------------------------------------------------------------------------------------------------------------------------------------
[root@rhel6 ~]# service slapd start
Starting slapd: @(#) $OpenLDAP: slapd 2.4.19 (Jun 30 2010 03:56:07) $
mockbuild@x86-003.build.bos.redhat.com:/builddir/build/BUILD/openldap-2.4.19/openldap-2.4.19/build-servers/servers/slapd
=> access_allowed: search access to "cn=config" "objectClass"
requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "cn=schema,cn=config"
"objectClass"
requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "cn={0}corba,cn=schema,cn=config"
"objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "cn={1}core,cn=schema,cn=config"
"objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "cn={2}cosine,cn=schema,cn=config"
"objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "cn={3}duaconf,cn=schema,cn=config"
"objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "cn={4}dyngroup,cn=schema,cn=config"
"objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to
"cn={5}inetorgperson,cn=schema,cn=config" "objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "cn={6}java,cn=schema,cn=config"
"objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "cn={7}misc,cn=schema,cn=config"
"objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "cn={8}nis,cn=schema,cn=config"
"objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "cn={9}openldap,cn=schema,cn=config"
"objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "cn={10}ppolicy,cn=schema,cn=config"
"objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "cn={11}collective,cn=schema,cn=config"
"objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "cn={12}samba,cn=schema,cn=config"
"objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "olcDatabase={-1}frontend,cn=config"
"objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "olcDatabase={0}config,cn=config"
"objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
Backend ACL: access to *
by * none
/etc/openldap/slapd.d: line 1: warning: cannot assess the validity of the
ACL scope within backend naming context
=> access_allowed: search access to "olcDatabase={1}bdb,cn=config"
"objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
Backend ACL: access to *
by * read
by self write
/etc/openldap/slapd.d: line 1: warning: cannot assess the validity of the
ACL scope within backend naming context
=> access_allowed: search access to "olcDatabase={2}monitor,cn=config"
"objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
Backend ACL: access to *
by dn.base="cn=manager,dc=my-domain,dc=com" read
by * none
/etc/openldap/slapd.d: line 1: warning: cannot assess the validity of the
ACL scope within backend naming context
slapd starting
* *
*debug info for " su - test2"*
sssd debug info
-------------------------------------------------------------------------------------------------------------------------------------------------------------
(Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [sdap_parse_entry] (9):
OriginalDN: [uid=test2,dc=rhel6,dc=ldaptest,dc=com].
(Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [sdap_process_result] (8):
Trace: sh[0x9e08488], connected[1], ops[0x9ea1b10], ldap[0x9e08540]
(Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [sdap_get_generic_done] (6):
Search result: Success(0), (null)
(Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [sdap_get_users_process] (6):
Search for users, returned 1 results.
(Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [sdap_process_result] (8):
Trace: sh[0x9e08488], connected[1], ops[(nil)], ldap[0x9e08540]
(Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [sdap_process_result] (8):
Trace: ldap_result found nothing!
(Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [ldb] (9): start ldb
transaction (nesting: 0)
(Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [sdap_save_user_send] (9):
Save user
(Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [sdap_save_user_send] (2):
User [test2] filtered out! (id out of range)
(Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [sdap_save_users_process]
(2): Failed to store user 0. Ignoring.
(Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [ldb] (9): commit ldb
transaction (nesting: 0)
(Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [sdap_get_users_done] (9):
Saving 1 Users - Done
(Tue Jun 21 11:02:48 2011) [sssd[nss]] [sbus_remove_timeout] (8): 0x9dcde28
(Tue Jun 21 11:02:48 2011) [sssd[nss]] [sbus_dispatch] (9): dbus conn:
9DCDF38
(Tue Jun 21 11:02:48 2011) [sssd[nss]] [sbus_dispatch] (9): Dispatching.
(Tue Jun 21 11:02:48 2011) [sssd[nss]] [sss_dp_get_reply] (4): Got reply (0,
0, Success) from Data Provider
(Tue Jun 21 11:02:48 2011) [sssd[nss]] [nss_cmd_getpwnam_callback] (2): No
matching domain found for [test2], fail!
(Tue Jun 21 11:02:48 2011) [sssd[nss]] [nss_cmd_getpwnam_callback] (2): No
results for getpwnam call
(Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [acctinfo_callback] (4):
Request processed. Returned 0,0,Success
slapd debug info
-----------------------------------------------------------------------------------------------------------------------------------------------------------------
=> acl_mask: access to entry "dc=rhel6,dc=ldaptest,dc=com", attr
"entry"
requested
=> acl_mask: to all values by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> slap_access_allowed: search access granted by read(=rscxd)
=> access_allowed: search access granted by read(=rscxd)
=> access_allowed: search access to "dc=rhel6,dc=ldaptest,dc=com"
"entry"
requested
=> acl_get: [1] attr entry
=> acl_mask: access to entry "dc=rhel6,dc=ldaptest,dc=com", attr
"entry"
requested
=> acl_mask: to all values by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> slap_access_allowed: search access granted by read(=rscxd)
=> access_allowed: search access granted by read(=rscxd)
=> access_allowed: search access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com"
"uid" requested
=> acl_get: [1] attr uid
=> acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr
"uid" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> slap_access_allowed: search access granted by read(=rscxd)
=> access_allowed: search access granted by read(=rscxd)
=> access_allowed: search access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com"
"objectClass" requested
=> acl_get: [1] attr objectClass
=> acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr
"objectClass" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> slap_access_allowed: search access granted by read(=rscxd)
=> access_allowed: search access granted by read(=rscxd)
=> access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com"
"entry" requested
=> acl_get: [1] attr entry
=> acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr
"entry" requested
=> acl_mask: to all values by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> slap_access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
=> access_allowed: result not in cache (cn)
=> access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com"
"cn" requested
=> acl_get: [1] attr cn
=> acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr
"cn" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> slap_access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
=> access_allowed: result not in cache (uid)
=> access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com"
"uid" requested
=> acl_get: [1] attr uid
=> acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr
"uid" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> slap_access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
=> access_allowed: result not in cache (uidNumber)
=> access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com"
"uidNumber" requested
=> acl_get: [1] attr uidNumber
=> acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr
"uidNumber" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> slap_access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
=> access_allowed: result not in cache (loginShell)
=> access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com"
"loginShell" requested
=> acl_get: [1] attr loginShell
=> acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr
"loginShell" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> slap_access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
=> access_allowed: result not in cache (homeDirectory)
=> access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com"
"homeDirectory" requested
=> acl_get: [1] attr homeDirectory
=> acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr
"homeDirectory" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> slap_access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
=> access_allowed: result not in cache (gidNumber)
=> access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com"
"gidNumber" requested
=> acl_get: [1] attr gidNumber
=> acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr
"gidNumber" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> slap_access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
=> access_allowed: result not in cache (userPassword)
=> access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com"
"userPassword" requested
=> acl_get: [1] attr userPassword
=> acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr
"userPassword" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> slap_access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
=> access_allowed: result not in cache (objectClass)
=> access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com"
"objectClass" requested
=> acl_get: [1] attr objectClass
=> acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr
"objectClass" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> slap_access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
=> access_allowed: result was in cache (objectClass)
=> access_allowed: result was in cache (objectClass)
=> access_allowed: result was in cache (objectClass)
=> access_allowed: result not in cache (shadowLastChange)
=> access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com"
"shadowLastChange" requested
=> acl_get: [1] attr shadowLastChange
=> acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr
"shadowLastChange" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> slap_access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
=> access_allowed: result not in cache (gecos)
=> access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com"
"gecos" requested
=> acl_get: [1] attr gecos
=> acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr
"gecos" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> slap_access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
=> access_allowed: result not in cache (modifyTimestamp)
=> access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com"
"modifyTimestamp" requested
=> acl_get: [1] attr modifyTimestamp
=> acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr
"modifyTimestamp" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> slap_access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)