Displaying 9 results from an estimated 9 matches for "prova123".
2018 Nov 29
2
Different LDAP query in different DC...
...mply return no data.
> That just means the search retuned without error
Eh. Query succeded and return no data. Yes.
> If you run the command:
> ldapsearch -H ldap://vdcpp1.ad.fvg.lnf.it -W -D
> CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it -b
> DC=ad,DC=fvg,DC=lnf,DC=it "(cn=prova123)"
> Does it produce the entire users object ?
No, query succeded and return no data.
root at vdcsv1:~# ldapsearch -H ldap://vdcpp1.ad.fvg.lnf.it -W -D CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it -b DC=ad,DC=fvg,DC=lnf,DC=it "(cn=prova123)"
Enter LDAP Password:
# extended...
2018 Nov 28
2
Different LDAP query in different DC...
...?
No. Anyway, note that query return correctly 'result: 0 Success',
simply return no data.
Another query to the same DC return data. eg:
root at vdmpp1:~# ldapsearch -H ldap://vdcpp1.ad.fvg.lnf.it -W -D CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it -b DC=ad,DC=fvg,DC=lnf,DC=it "(cn=prova123)" rfc822MailMember | grep ^rfc822MailMember
Enter LDAP Password:
root at vdmpp1:~#
root at vdmpp1:~# ldapsearch -H ldap://vdcpp1.ad.fvg.lnf.it -W -D CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it -b DC=ad,DC=fvg,DC=lnf,DC=it "(uid=gaio)" uid | grep ^uid
Enter LDAP Password:
u...
2018 Nov 26
3
Different LDAP query in different DC...
...P data in 'laster draft
schema' format i've added to te samba/AD schema.
All LDAP query return the same result on all (6) of the DC:
root at vdcsv1:~# ldapsearch -H ldap://vdcsv2.ad.fvg.lnf.it -W -D CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it -b DC=ad,DC=fvg,DC=lnf,DC=it "(cn=prova123)" rfc822MailMember
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <DC=ad,DC=fvg,DC=lnf,DC=it> with scope subtree
# filter: (cn=prova123)
# requesting: rfc822MailMember
#
# prova123, Aliases, FVG, ad.fvg.lnf.it
dn: CN=prova123,CN=Aliases,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC...
2018 Nov 29
2
Different LDAP query in different DC...
...the same access.
> Do you have access to the DC ?
> Can you run the search locally ?
Sure! As just stated, local access (via ldbsearch against the local
SAM) works as expected:
root at vdcpp1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b "DC=ad,DC=fvg,DC=lnf,DC=it" "(cn=prova123)"
# record 1
dn: CN=prova123,CN=Aliases,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it
objectClass: top
objectClass: nisMailAlias
cn: prova123
instanceType: 4
whenCreated: 20171218110150.0Z
uSNCreated: 7923
name: prova123
objectGUID: 82012731-c88e-49dd-a802-714877fb1ca3
objectCategory: CN=inetLoc...
2018 Nov 29
2
Different LDAP query in different DC...
Mandi! Rowland Penny via samba
In chel di` si favelave...
> You need to explicitly ask for it, for instance:
Oh, cool! Seems effectivaly different:
root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b "DC=ad,DC=fvg,DC=lnf,DC=it" "(cn=prova123)" nTSecurityDescriptor
# record 1
dn: CN=prova123,CN=Aliases,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it
nTSecurityDescriptor: O:DAG:DAD:AI(A;CINPID;RPLCRC;;;S-1-5-21-160080369-360138
5002-3131615632-1314)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828c
c14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CI...
2018 Nov 28
0
Different LDAP query in different DC...
...simply return no data.
That just means the search retuned without error
> Another query to the same DC return data. eg:
>
> root at vdmpp1:~# ldapsearch -H ldap://vdcpp1.ad.fvg.lnf.it -W -D
> CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it -b
> DC=ad,DC=fvg,DC=lnf,DC=it "(cn=prova123)" rfc822MailMember | grep
> ^rfc822MailMember Enter LDAP Password: root at vdmpp1:~# root at vdmpp1:~#
> ldapsearch -H ldap://vdcpp1.ad.fvg.lnf.it -W -D
> CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it -b
> DC=ad,DC=fvg,DC=lnf,DC=it "(uid=gaio)" uid | grep ^uid Enter LDAP...
2018 Nov 29
0
Different LDAP query in different DC...
...wland Penny via samba
> In chel di` si favelave...
>
> > You need to explicitly ask for it, for instance:
>
> Oh, cool! Seems effectivaly different:
>
> root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b
> "DC=ad,DC=fvg,DC=lnf,DC=it" "(cn=prova123)" nTSecurityDescriptor #
> record 1 dn: CN=prova123,CN=Aliases,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it
> nTSecurityDescriptor:
> O:DAG:DAD:AI(A;CINPID;RPLCRC;;;S-1-5-21-160080369-360138
> 5002-3131615632-1314)
This one has an extra ACE and in readable form it is:
(A;CINPID;RPLCRC;;;S-1-...
2018 Nov 28
2
Different LDAP query in different DC...
> Why?!
Sorry but... someone can point me in the right direction? Really i
don't know how to look for that problem...
I summarize:
a) an LDAP lookup for some data works in ALL DC past one
b) in that non-working DC, a direct query against the sam.ldb reveal
that data are here (so, seems to me an ACL problem)
c) checking sync status between DCs reveal no sync troubles.
Where i can
2018 Nov 29
2
Different LDAP query in different DC...
Mandi! Rowland Penny via samba
In chel di` si favelave...
> S-1-5-21-160080369-3601385002-3131615632-1314
Bingo! Exactly the 'Restricted' group that own the users i use for
generico LDAP access!
I really think that we have found the trouble!
Now... how can i fix it? ;-)
And... why that vaule get not propagated?!
Thanks.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66