samba - Jan 2013 - Strange nslcd error with ldap database

Greetings,

I've got a S4 DC joined to a Windows 2008 R2 DC. I'm using the s4bind
scripts to add uidNumber/gidNumber/etc entries to LDAP, and I've got
nss-pam-ldap installed on the S4 server. I had this working back in December,
but since installing the latest stable build, getent passwd is throwing this
error,

[8b4567] <passwd="myuser"> passwd entry
CN=myuser,CN=Users,DC=...,DC=...,DC=... does not contain uidNumber value

Interestingly, after creating a user on the linux side, if I point nslcd at the
Windows DC, it retrieves the ldap entry just fine. I get nothing from the S4
server. I've done ldbsearch on the local ldap database and uidNumber is
definitely there. I'm not sure if there's really something else going
on, but I'm at a loss of what to do.

I don't think it's a Kerberos issue, because it authenticates fine.
It's not my local nslcd client, because I can connect to the Windows DC (via
getent passwd) which has the same replicated database and it displays the user
data.

Has anyone experienced this?
Thanks


The information in this communication is intended solely for the individual or
entity to whom it is addressed. It may contain confidential or legally
privileged information. If you are not the intended recipient, any disclosure,
copying, distribution or reliance on the contents of this information is
strictly prohibited, and may be unlawful. If you have received this
communication in error, please notify us immediately by responding to the sender
of this email, and then delete it from your system. Taylor University is not
liable for the inaccurate or improper transmission of the information contained
in this communication or for any delay in its receipt.

I wanted to add that it appears nslcd is incapable of seeing any of the
posixAccount attributes from the Samba LDAP server. It balks at
unixHomeDirectory, uidNumber, and gidNumber. However, if I do:

map uidNumber codePage (or some other random AD attribute)
map gidNumber codePage

It displays the user in getent (with the wrong uid and gid, obviously).
What gives? Is there some permission issue with those entries? I can do
ldapsearch and see them just fine. I even added administrator credentials to
nslcd and I still get the issue. Oddly enough, if I point nslcd at the windows
DCs, it works great.

Argh.

________________________________
From: Bethel, Zach
Sent: Thursday, January 31, 2013 4:31 PM
To: samba at lists.samba.org
Subject: Strange nslcd error with ldap database

Greetings,

I've got a S4 DC joined to a Windows 2008 R2 DC. I'm using the s4bind
scripts to add uidNumber/gidNumber/etc entries to LDAP, and I've got
nss-pam-ldap installed on the S4 server. I had this working back in December,
but since installing the latest stable build, getent passwd is throwing this
error,

[8b4567] <passwd="myuser"> passwd entry
CN=myuser,CN=Users,DC=...,DC=...,DC=... does not contain uidNumber value

Interestingly, after creating a user on the linux side, if I point nslcd at the
Windows DC, it retrieves the ldap entry just fine. I get nothing from the S4
server. I've done ldbsearch on the local ldap database and uidNumber is
definitely there. I'm not sure if there's really something else going
on, but I'm at a loss of what to do.

I don't think it's a Kerberos issue, because it authenticates fine.
It's not my local nslcd client, because I can connect to the Windows DC (via
getent passwd) which has the same replicated database and it displays the user
data.

Has anyone experienced this?
Thanks


The information in this communication is intended solely for the individual or
entity to whom it is addressed. It may contain confidential or legally
privileged information. If you are not the intended recipient, any disclosure,
copying, distribution or reliance on the contents of this information is
strictly prohibited, and may be unlawful. If you have received this
communication in error, please notify us immediately by responding to the sender
of this email, and then delete it from your system. Taylor University is not
liable for the inaccurate or improper transmission of the information contained
in this communication or for any delay in its receipt.