samba - Nov 2018 - Different LDAP query in different DC...

> Why?!
Sorry but... someone can point me in the right direction? Really i
don't know how to look for that problem...

I summarize:

a) an LDAP lookup for some data works in ALL DC past one

b) in that non-working DC, a direct query against the sam.ldb reveal
 that data are here (so, seems to me an ACL problem)

c) checking sync status between DCs reveal no sync troubles.


Where i can look for? Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

On Wed, 28 Nov 2018 13:04:16 +0100
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> 
> > Why?!
> 
> Sorry but... someone can point me in the right direction? Really i
> don't know how to look for that problem...
> 
> I summarize:
> 
> a) an LDAP lookup for some data works in ALL DC past one
> 
> b) in that non-working DC, a direct query against the sam.ldb reveal
>  that data are here (so, seems to me an ACL problem)
> 
> c) checking sync status between DCs reveal no sync troubles.
> 
> 
> Where i can look for? Thanks.
> 
If an ldap lookup works on every DC, except for one and the data is
definitely there on the one DC it doesn't work on, then it must be
something on that DC. is there a firewall or apparmor/selinux in the
way ?
Compare the non-working computer with a working one, is there something
different/missing or something set up differently.

Rowland

Mandi! Rowland Penny via samba
  In chel di` si favelave...
> If an ldap lookup works on every DC, except for one and the data is
> definitely there on the one DC it doesn't work on, then it must be
> something on that DC. is there a firewall or apparmor/selinux in the
> way ?
No. Anyway, note that query return correctly 'result: 0 Success',
simply return no data.
Another query to the same DC return data. eg:

 root at vdmpp1:~# ldapsearch -H ldap://vdcpp1.ad.fvg.lnf.it -W -D
CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it -b DC=ad,DC=fvg,DC=lnf,DC=it
"(cn=prova123)" rfc822MailMember | grep ^rfc822MailMember
 Enter LDAP Password: 
 root at vdmpp1:~# 
 root at vdmpp1:~# ldapsearch -H ldap://vdcpp1.ad.fvg.lnf.it -W -D
CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it -b DC=ad,DC=fvg,DC=lnf,DC=it
"(uid=gaio)" uid | grep ^uid
 Enter LDAP Password: 
 uid: gaio

Seems really to me an ACL trouble, note also:

 root at vdmpp1:~# ldapsearch -H ldap://vdcpp1.ad.fvg.lnf.it -W -D
CN=gaio,OU=Users,OU=SanVito,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it -b
DC=ad,DC=fvg,DC=lnf,DC=it "(cn=prova123)" rfc822MailMember | grep
^rfc822MailMember
 Enter LDAP Password: 
 rfc822MailMember: gaio
 rfc822MailMember: marco.gaiarin

But how can i check ACLs data on different DCs?

> Compare the non-working computer with a working one, is there something
> different/missing or something set up differently.
I've checked 'samba-tool testparm', /etc/krb5.conf, /etc/hosts,
/etc/resolv.conf: all are the same (names and ips docet).

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)