Bug 6947 - LDAP group mapping failing due to sambawhilst preparing to upgrade from 3.0.7 to 3.4.3 we found that ldap group mapping was no longer functioning as expected. no longer honouring ldap group suffix in smb.conf
LDAP group mapping failing due to sambawhilst preparing to upgrade from 3.0.7...
Status: RESOLVED WONTFIX
Product: Samba 3.4
Classification: Unclassified
Component: User & Group Accounts
3.4.3
Sparc Solaris
: P3 major
: ---
Assigned To: Samba Bugzilla Account
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-12-01 07:19 UTC by Gordon Adshead
Modified: 2009-12-01 09:01 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Gordon Adshead 2009-12-01 07:19:58 UTC
Whilst preparing to upgrade from 3.0.7 to 3.4.3 we found that ldap group mapping was no longer functioning as expected. domain admins were not getting expected privileges and errors were noted when setting windows file security settings.

In the samba log file ( smbd.log ) we noted that duplicate entries were being found for the objectclass sambaGroupMapping.

[2009/11/24 12:11:52,  1] passdb/pdb_ldap.c:2475()
  ldapsam_getgroup: Duplicate entries for filter (&(objectClass=sambaGroupMapping)(gidNumber=10)): count=2

when checking our LDAP server access log we found that searches were commencing at our main suffix, and not at the group suffix where we would expect. This is set in our smb.conf using:-

ldap suffix = dc=our,dc=company,dc=com
ldap machine suffix = ou=Computers
ldap group suffix = ou=oursambagroups
ldap user suffix =
ldap admin dn = "cn=administrator"

Although we have a single People suffix we have two group containers for different sub divisions of our company.

This is key to our LDAP data structure.

Examination of the code in pdb_ldap.c seems to indicate that the lp_ldap_group_suffix is no longer referenced despite the fact that the 
configuration variable is still valid in the smb.conf.

references to lp_ldap_group_suffix that existed in version 3.0.7 have been replaced with lp_ldap_suffix thus making it redundant.

My apologies in advance if I have missed any deliberate change that would require us to restructure our LDAP DIT but this does look like a coding error.

After comparing pdb_ldap.c in the two versions it would seem that the following changes need to be made in eight places. Lines:-

2318,2638,2886,3344,3353,3743,4099,4701

We have tried this fix and early indications are that it resolves the problem.

Please fix!

diff pdb_ldap.c pdb_ldap.c.ORIG
2318c2318
<                           lp_ldap_group_suffix (), scope,
---
>                           lp_ldap_suffix (), scope,
2638c2638
<       rc = smbldap_search(conn, lp_ldap_group_suffix(),
---
>       rc = smbldap_search(conn, lp_ldap_suffix(),
2886c2886
<       rc = smbldap_search(conn, lp_ldap_group_suffix(),
---
>       rc = smbldap_search(conn, lp_ldap_suffix(),
3344c3344
<       rc = smbldap_search(ldap_state->smbldap_state, lp_ldap_group_suffix(),
---
>       rc = smbldap_search(ldap_state->smbldap_state, lp_ldap_suffix(),
3353c3353
<                         lp_ldap_group_suffix(), filter));
---
>                         lp_ldap_suffix(), filter));
3743c3743
<       rc = smbldap_search(ldap_state->smbldap_state, lp_ldap_group_suffix(),
---
>       rc = smbldap_search(ldap_state->smbldap_state, lp_ldap_suffix(),
4099c4099
<                                   lp_ldap_group_suffix(),
---
>                                   lp_ldap_suffix(),
4701c4701
<       state->base = talloc_strdup(search, lp_ldap_group_suffix());
---
>       state->base = talloc_strdup(search, lp_ldap_suffix());
Comment 1 Volker Lendecke 2009-12-01 07:23:38 UTC
This is intentional, sorry. That kind of setup has caused too much trouble with Samba not finding groups and other entities in LDAP. ldap groups suffix should still be referenced when we create objects.

Please apply the patch locally if you really need it, the patch looks right for your setup.

Volker