Bug 9520 - winbind and RFC2307 schema on an AD-DC
Summary: winbind and RFC2307 schema on an AD-DC
Status: RESOLVED DUPLICATE of bug 9718
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.0.0
Hardware: All All
: P5 major (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-12-24 07:01 UTC by maurer
Modified: 2013-04-01 22:18 UTC (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description maurer 2012-12-24 07:01:17 UTC 
User and group ID's , if set in  RFC2307 are only resolved correctly on the samba AD-DC, 

If I do a

ldbedit -e vi -H /etc/samba/sam.ldb

and manually add
objectClass: posixGroup
to testgroup
and
objectClass: posixAccount
to testuser

before adding thisobjectclasses

testgroup:*:3000022:                                                                                                                                

S4HJ\testuser:*:3000013:100::/home/testuser:/bin/bash      

After Adding this object classes

[root@merlot samba-4.0.0]# getent passwd testuser
S4HJ\testuser:*:10000:10001::/home/testuser:/bin/bash
[root@merlot samba-4.0.0]# getent group testgroup
testgroup:*:10000:
[root@merlot samba-4.0.0]# id -a S4HJ\\testuser
uid=10000(S4HJ\testuser) gid=10001(testgroup2)
Gruppen=10001(testgroup2),100(users),10000(testgroup)

Regrads

Hansjörg
Comment 1 maurer 2013-04-01 06:57:59 UTC 
 in 4.0.4 the problem still exists

Just to keep it documented here
Andrew submitted this patch for 4.0.0

 diff --git a/source4/winbind/idmap.c b/source4/winbind/idmap.c
index a6cc88f..e11a8e4 100644
--- a/source4/winbind/idmap.c
+++ b/source4/winbind/idmap.c
@@ -236,8 +236,7 @@ static NTSTATUS idmap_xid_to_sid(struct idmap_context *idmap_ctx,
                                                      LDB_SCOPE_SUBTREE,
                                                      sam_attrs, 0,
                                                      "(&(|(sAMaccountType=%u)(sAMaccountType=%u)(sAMaccountType=%u))"
-                                                     "(uidNumber=%u)(objectSid=*)"
-                                                     "(|(objectClass=posixAccount)(objectClass=posixGroup)))",
+                                                     "(uidNumber=%u)(objectSid=*))",
                                                      ATYPE_ACCOUNT, ATYPE_WORKSTATION_TRUST, ATYPE_INTERDOMAIN_TRUST, unixid->id);
                        } else {
                                /* If we are not to use the rfc2307 attributes, we just emulate a non-match */
@@ -274,8 +273,7 @@ static NTSTATUS idmap_xid_to_sid(struct idmap_context *idmap_ctx,
                                                      ldb_get_default_basedn(idmap_ctx->samdb),
                                                      LDB_SCOPE_SUBTREE,
                                                      sam_attrs, 0,
-                                                     "(&(|(sAMaccountType=%u)(sAMaccountType=%u))(gidNumber=%u)"
-                                                     "(|(objectClass=posixAccount)(objectClass=posixGroup)))",
+                                                     "(&(|(sAMaccountType=%u)(sAMaccountType=%u))(gidNumber=%u))",
                                                      ATYPE_SECURITY_GLOBAL_GROUP, ATYPE_SECURITY_LOCAL_GROUP,
                                                      unixid->id);
                        } else {
--
1.7.11.7

I additionallay added

[root@merlot winbind]# diff idmap.c idmap.c_org
440c440,441
<                                     "(|(uidNumber=*)(gidNumber=*)))",
---
>                                     "(|(uidNumber=*)(gidNumber=*))"
>                                     "(|(objectClass=posixAccount)(objectClass=posixGroup)))",
Comment 2 Andrew Bartlett 2013-04-01 22:18:21 UTC 
Marking as 'duplicate' of the bug I filed trying to get this fix into 4.0.5

*** This bug has been marked as a duplicate of bug 9718 ***