Bug 14023 - net ads gpo linkget <dn> does not return information
Summary: net ads gpo linkget <dn> does not return information
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Tools (show other bugs)
Version: 4.10.4
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
Depends on:
Reported: 2019-07-03 13:52 UTC by Amit Kumar
Modified: 2019-07-05 08:42 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Amit Kumar 2019-07-03 13:52:34 UTC
1. dn exists on AD. Have gpLink attribute with it.

# ldapsearch -x -D "CN=root,CN=Users,dc=atest,dc=com" -b "OU=test-users,dc=atest,dc=com" -h <> -W
Enter LDAP Password: 
# extended LDIF
# LDAPv3
# base <OU=test-users,dc=atest,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL

# test-users, atest.com
dn: OU=test-users,DC=atest,DC=com
objectClass: top
objectClass: organizationalUnit
ou: test-users
distinguishedName: OU=test-users,DC=atest,DC=com
instanceType: 4
whenCreated: 20190614203859.0Z
whenChanged: 20190614204152.0Z
uSNCreated: 601107
uSNChanged: 601192
name: test-users
objectGUID:: bO0l2Hox+0es3w2/0CoC/A==
objectCategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=atest,DC=
gPLink: [LDAP://cn={8d86e985-594f-4d32-95e6-272647f9cdf4},cn=policies,cn=syste
dSCorePropagationData: 20190614203859.0Z
dSCorePropagationData: 16010101000000.0Z

# test-user-1, test-users, atest.com
dn: CN=test-user-1,OU=test-users,DC=atest,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: test-user-1
description: Rambo#345
givenName: test-user-1
distinguishedName: CN=test-user-1,OU=test-users,DC=atest,DC=com
instanceType: 4
whenCreated: 20190614204010.0Z
whenChanged: 20190614204036.0Z
displayName: test-user-1
uSNCreated: 601144
uSNChanged: 601163
name: test-user-1
objectGUID:: 1l1p7ofJWE6ltxKBjn8gLw==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 132050184107500000
primaryGroupID: 513
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: test-user-1
sAMAccountType: 805306368
userPrincipalName: test-user-1@atest.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=atest,DC=com
dSCorePropagationData: 16010101000000.0Z

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

2. But linkget does not give gpLink value.
# net ads gpo linkget 'OU=test-users,DC=atest,DC=com'

3. Code investigation shows, net properly parses gplink and gpOption values and passes to dump_gplink(&gp_link);

status = ads_get_gpo_link(ads, mem_ctx, argv[0], &gp_link);
static int net_ads_gpo_link_get(){

dump_gplink is subroutine defined in perl script file (examples/misc/adssearch.pl), which does not prints the value.

4. If we do,
# net ads gpo linkget 'OU=test-users,DC=atest,DC=com' -d100
gplink value is seen.

Would be looking into.
Comment 1 Amit Kumar 2019-07-04 08:29:18 UTC
My bad.
examples/misc/adssearch.pl is not called 

But dump_gplink() from ./libgpo/gpo_util.c was called by net_ads_gpo_link_get()

But problem in dump_gplink() is log level parameters is set to 10.
void dump_gplink(const GP_LINK *gp_link)
        int i;
        int lvl = 10;

But person executing 'net ads gpo linkget <dn>' expects command to return gpLink without setting debug level. As i expected!!
And presently command will output gpLink when debug level is set to 10.