Mauricio Tavares
2019-Sep-06 19:14 UTC
[Samba] smbldap-showuser and ldapsearch can't show groups user belongs to.
Quick-n-easy questions: Let's say user raub is added to group nosy using smbldap-groupmod smbldap-groupmod -m raub nosy Now, according to ol' ldapsearch, ldapsearch -vvv -H "ldaps://ldap.example.com" -D "uid=admin,ou=People,dc=example,dc=com" -W -b "dc=example,dc=com" -s sub "(cn-nosy)" group nosy has a dn attribute that looks like this dn: cn=nosy,ou=PosixGroups,dc=example,dc=com ldapsearch even lists the memberUid for each member in said group. So far so good. However, when I ask ldapsearch to tell me about raub, ldapsearch -vvv -H "ldaps://ldap.example.com" -D "uid=admin,ou=People,dc=example,dc=com" -W -b "dc=example,dc=com" -s sub "(uid=raub)" It will give me lots of exciting info about said user but not a single memberOf attribute. The same goes for smbldap-showuser. Is there anything I might have misconfigured here? Incidentally, if I do "id raub", I get the list of non local groups said user belongs to, including nosy.
Andrew Bartlett
2019-Sep-06 19:51 UTC
[Samba] smbldap-showuser and ldapsearch can't show groups user belongs to.
On Fri, 2019-09-06 at 15:14 -0400, Mauricio Tavares via samba wrote:> However, when I ask ldapsearch to tell me about raub, > > ldapsearch -vvv -H "ldaps://ldap.example.com" -D > "uid=admin,ou=People,dc=example,dc=com" -W -b "dc=example,dc=com" -s > sub "(uid=raub)" > > It will give me lots of exciting info about said user but not a > single > memberOf attribute.The rfc2307 mapping of unix group behaviour onto LDAP does not features member of memberof attributes, just as /etc/passwd does not store groups, but /etc/group stores group member usernames. AD has member/memberOf as linked attributes, but even there is it more complex, with nested groups only being fully calculated via the operational tokenGroups attribute on the user DN (as a base search) and only fully, finally resolved on a login via tokenGroups on the rootDSE. I hope this clarifies things, Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
Mauricio Tavares
2019-Sep-06 20:10 UTC
[Samba] smbldap-showuser and ldapsearch can't show groups user belongs to.
On Fri, Sep 6, 2019 at 3:51 PM Andrew Bartlett <abartlet at samba.org> wrote:> > On Fri, 2019-09-06 at 15:14 -0400, Mauricio Tavares via samba wrote: > > However, when I ask ldapsearch to tell me about raub, > > > > ldapsearch -vvv -H "ldaps://ldap.example.com" -D > > "uid=admin,ou=People,dc=example,dc=com" -W -b "dc=example,dc=com" -s > > sub "(uid=raub)" > > > > It will give me lots of exciting info about said user but not a > > single > > memberOf attribute. > > The rfc2307 mapping of unix group behaviour onto LDAP does not features > member of memberof attributes, just as /etc/passwd does not store > groups, but /etc/group stores group member usernames. > > AD has member/memberOf as linked attributes, but even there is it more > complex, with nested groups only being fully calculated via the > operational tokenGroups attribute on the user DN (as a base search) and > only fully, finally resolved on a login via tokenGroups on the rootDSE. > > I hope this clarifies things, >It does. I guess I was used to rfc2307bis, which freeipa still uses [1] even though (as I learned today) its draft has expired in 2010. [2] [1] https://github.com/freeipa/freeipa/blob/master/ipaserver/plugins/migration.py [2] https://tools.ietf.org/html/draft-howard-rfc2307bis-02> Andrew Bartlett > > -- > Andrew Bartlett https://samba.org/~abartlet/ > Authentication Developer, Samba Team https://samba.org > Samba Developer, Catalyst IT > https://catalyst.net.nz/services/samba > > >
Rowland penny
2019-Sep-06 20:11 UTC
[Samba] smbldap-showuser and ldapsearch can't show groups user belongs to.
On 06/09/2019 20:14, Mauricio Tavares via samba wrote:> Quick-n-easy questions: > > Let's say user raub is added to group nosy using smbldap-groupmod > > smbldap-groupmod -m raub nosy > > Now, according to ol' ldapsearch, > > > ldapsearch -vvv -H "ldaps://ldap.example.com" -D > "uid=admin,ou=People,dc=example,dc=com" -W -b "dc=example,dc=com" -s > sub "(cn-nosy)" > > group nosy has a dn attribute that looks like this > > dn: cn=nosy,ou=PosixGroups,dc=example,dc=com > > ldapsearch even lists the memberUid for each member in said group. So > far so good. However, when I ask ldapsearch to tell me about raub, > > ldapsearch -vvv -H "ldaps://ldap.example.com" -D > "uid=admin,ou=People,dc=example,dc=com" -W -b "dc=example,dc=com" -s > sub "(uid=raub)" > > It will give me lots of exciting info about said user but not a single > memberOf attribute. The same goes for smbldap-showuser. Is there > anything I might have misconfigured here? Incidentally, if I do "id > raub", I get the list of non local groups said user belongs to, > including nosy. >Yes, you mis-configured your domain as an old NT4-style domain, why ? NT4-style domains are on the way out, Microsoft keeps breaking them by mistake (and then fixing them), They depend on insecure protocols which everybody is trying to get rid off. smbldap-tools is no longer being maintained and doesn't seem to have a website. Can I suggest that you consider upgrading to a Samba AD domain. Rowland
Rowland penny
2019-Sep-09 16:19 UTC
[Samba] smbldap-showuser and ldapsearch can't show groups user belongs to.
On 09/09/2019 16:55, Mauricio Tavares wrote:> On Fri, Sep 6, 2019 at 4:12 PM Rowland penny via samba > <samba at lists.samba.org> wrote: >> On 06/09/2019 20:14, Mauricio Tavares via samba wrote: >>> Quick-n-easy questions: >>> >>> Let's say user raub is added to group nosy using smbldap-groupmod >>> >>> smbldap-groupmod -m raub nosy >>> >>> Now, according to ol' ldapsearch, >>> >>> >>> ldapsearch -vvv -H "ldaps://ldap.example.com" -D >>> "uid=admin,ou=People,dc=example,dc=com" -W -b "dc=example,dc=com" -s >>> sub "(cn-nosy)" >>> >>> group nosy has a dn attribute that looks like this >>> >>> dn: cn=nosy,ou=PosixGroups,dc=example,dc=com >>> >>> ldapsearch even lists the memberUid for each member in said group. So >>> far so good. However, when I ask ldapsearch to tell me about raub, >>> >>> ldapsearch -vvv -H "ldaps://ldap.example.com" -D >>> "uid=admin,ou=People,dc=example,dc=com" -W -b "dc=example,dc=com" -s >>> sub "(uid=raub)" >>> >>> It will give me lots of exciting info about said user but not a single >>> memberOf attribute. The same goes for smbldap-showuser. Is there >>> anything I might have misconfigured here? Incidentally, if I do "id >>> raub", I get the list of non local groups said user belongs to, >>> including nosy. >>> >> Yes, you mis-configured your domain as an old NT4-style domain, why ? >> > Actually this is an openldap domain. About smbldap-tools, the > day before I sent the original question in this thread was the first > time I've heard of that package. Other info indicates this was setup > long time ago and is in dire need of being upgrade. >Nope, if Samba is involved, it will be a PDC and a PDC is an NT4-style domain controller, which makes it a Samba domain that uses Openldap. Saying 'in dire need of being upgraded', could just be the understatement of the year ;-) All and any (in my opinion) NT4-style DCs should be upgraded to AD. Rowland