Mandi! Rowland Penny via samba In chel di` si favelave...> If an ldap lookup works on every DC, except for one and the data is > definitely there on the one DC it doesn't work on, then it must be > something on that DC. is there a firewall or apparmor/selinux in the > way ?No. Anyway, note that query return correctly 'result: 0 Success', simply return no data. Another query to the same DC return data. eg: root at vdmpp1:~# ldapsearch -H ldap://vdcpp1.ad.fvg.lnf.it -W -D CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it -b DC=ad,DC=fvg,DC=lnf,DC=it "(cn=prova123)" rfc822MailMember | grep ^rfc822MailMember Enter LDAP Password: root at vdmpp1:~# root at vdmpp1:~# ldapsearch -H ldap://vdcpp1.ad.fvg.lnf.it -W -D CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it -b DC=ad,DC=fvg,DC=lnf,DC=it "(uid=gaio)" uid | grep ^uid Enter LDAP Password: uid: gaio Seems really to me an ACL trouble, note also: root at vdmpp1:~# ldapsearch -H ldap://vdcpp1.ad.fvg.lnf.it -W -D CN=gaio,OU=Users,OU=SanVito,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it -b DC=ad,DC=fvg,DC=lnf,DC=it "(cn=prova123)" rfc822MailMember | grep ^rfc822MailMember Enter LDAP Password: rfc822MailMember: gaio rfc822MailMember: marco.gaiarin But how can i check ACLs data on different DCs?> Compare the non-working computer with a working one, is there something > different/missing or something set up differently.I've checked 'samba-tool testparm', /etc/krb5.conf, /etc/hosts, /etc/resolv.conf: all are the same (names and ips docet). -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
On Wed, 28 Nov 2018 18:11:59 +0100 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> Mandi! Rowland Penny via samba > In chel di` si favelave... > > > If an ldap lookup works on every DC, except for one and the data is > > definitely there on the one DC it doesn't work on, then it must be > > something on that DC. is there a firewall or apparmor/selinux in the > > way ? > > No. Anyway, note that query return correctly 'result: 0 Success', > simply return no data.That just means the search retuned without error> Another query to the same DC return data. eg: > > root at vdmpp1:~# ldapsearch -H ldap://vdcpp1.ad.fvg.lnf.it -W -D > CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it -b > DC=ad,DC=fvg,DC=lnf,DC=it "(cn=prova123)" rfc822MailMember | grep > ^rfc822MailMember Enter LDAP Password: root at vdmpp1:~# root at vdmpp1:~# > ldapsearch -H ldap://vdcpp1.ad.fvg.lnf.it -W -D > CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it -b > DC=ad,DC=fvg,DC=lnf,DC=it "(uid=gaio)" uid | grep ^uid Enter LDAP > Password: uid: gaio> > Seems really to me an ACL trouble, note also: > > root at vdmpp1:~# ldapsearch -H ldap://vdcpp1.ad.fvg.lnf.it -W -D > CN=gaio,OU=Users,OU=SanVito,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it -b > DC=ad,DC=fvg,DC=lnf,DC=it "(cn=prova123)" rfc822MailMember | grep > ^rfc822MailMember Enter LDAP Password: rfc822MailMember: gaio > rfc822MailMember: marco.gaiarin > > But how can i check ACLs data on different DCs? > > > > Compare the non-working computer with a working one, is there > > something different/missing or something set up differently. > > I've checked 'samba-tool testparm', /etc/krb5.conf, /etc/hosts, > /etc/resolv.conf: all are the same (names and ips docet). >If you run the command: ldapsearch -H ldap://vdcpp1.ad.fvg.lnf.it -W -D CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it -b DC=ad,DC=fvg,DC=lnf,DC=it "(cn=prova123)" Does it produce the entire users object ? Rowland
Mandi! Rowland Penny via samba In chel di` si favelave...> > No. Anyway, note that query return correctly 'result: 0 Success', > > simply return no data. > That just means the search retuned without errorEh. Query succeded and return no data. Yes.> If you run the command: > ldapsearch -H ldap://vdcpp1.ad.fvg.lnf.it -W -D > CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it -b > DC=ad,DC=fvg,DC=lnf,DC=it "(cn=prova123)" > Does it produce the entire users object ?No, query succeded and return no data. root at vdcsv1:~# ldapsearch -H ldap://vdcpp1.ad.fvg.lnf.it -W -D CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it -b DC=ad,DC=fvg,DC=lnf,DC=it "(cn=prova123)" Enter LDAP Password: # extended LDIF # # LDAPv3 # base <DC=ad,DC=fvg,DC=lnf,DC=it> with scope subtree # filter: (cn=prova123) # requesting: ALL # # search reference ref: ldap://ad.fvg.lnf.it/CN=Configuration,DC=ad,DC=fvg,DC=lnf,DC=it # search reference ref: ldap://ad.fvg.lnf.it/DC=DomainDnsZones,DC=ad,DC=fvg,DC=lnf,DC=it # search reference ref: ldap://ad.fvg.lnf.it/DC=ForestDnsZones,DC=ad,DC=fvg,DC=lnf,DC=it # search result search: 2 result: 0 Success # numResponses: 4 # numReferences: 3 While, against a working DC: root at vdcsv1:~# ldapsearch -H ldap://vdcpp2.ad.fvg.lnf.it -W -D CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it -b DC=ad,DC=fvg,DC=lnf,DC=it "(cn=prova123)" Enter LDAP Password: # extended LDIF # # LDAPv3 # base <DC=ad,DC=fvg,DC=lnf,DC=it> with scope subtree # filter: (cn=prova123) # requesting: ALL # # prova123, Aliases, FVG, ad.fvg.lnf.it dn: CN=prova123,CN=Aliases,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it objectClass: top objectClass: nisMailAlias cn: prova123 instanceType: 4 whenCreated: 20171218110150.0Z uSNCreated: 3516 name: prova123 objectGUID:: MScBgo7I3UmoAnFId/scow= objectCategory: CN=inetLocalMailRecipient,CN=Schema,CN=Configuration,DC=ad,DC fvg,DC=lnf,DC=it whenChanged: 20181126155319.0Z uSNChanged: 1649048 rfc822MailMember: gaio rfc822MailMember: marco.gaiarin distinguishedName: CN=prova123,CN=Aliases,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it # search reference ref: ldap://ad.fvg.lnf.it/CN=Configuration,DC=ad,DC=fvg,DC=lnf,DC=it # search reference ref: ldap://ad.fvg.lnf.it/DC=DomainDnsZones,DC=ad,DC=fvg,DC=lnf,DC=it # search reference ref: ldap://ad.fvg.lnf.it/DC=ForestDnsZones,DC=ad,DC=fvg,DC=lnf,DC=it # search result search: 2 result: 0 Success # numResponses: 5 # numEntries: 1 # numReferences: 3 -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)