> On 30 Jun 2015, at 17:29, Alexander Bokovoy <aboko...@redhat.com> wrote: > > ----- Original Message ----- >> If I load the keytab for Samba: kinit -t /etc/samba/samba.keytab >> cifs/ipa02.XXX@XXX >> Then run the query using GSSAPI - I get no results! >> >> [...] >> >> Even stranger, if I split the OR filter and only run the group part, but >> still running through GSSAPI - it is successful! >> >> [...] >> >> Any ideas what might be happening here? >> I’ve read something about non-existent attributes can mess with OR queries. >> But I can’t understand why it would only affect the GSSAPI authenticated >> user. > This is definitely an issue with ACLs or NACLPlugin. > > Regarding LDAPI+root and GSSAPI -- the first one maps to cn=Directory > Manager, the second one maps to a specific DN. > When you are cn=Directory Manager, no ACLs apply to you, so the result is > expected. > -- > / Alexander Bokovoy
I thought it might be. However, the fact that the query works fine without the OR - does that not indicate otherwise? Surely permissions would impact both? To summarise, when using GSSAPI with specific DN, the following returns nothing: > (|(&(gidNumber=543800010)(objectClass=ipaNTGroupAttrs))(&(uidNumber=543800010)(objectClass=posixAccount))) The following returns one result: > (&(gidNumber=543800010)(objectClass=ipaNTGroupAttrs)) My understanding would be if it were permissions, both would return nothing. I’ve even tried the uidNumber part with a valid uid and it does actually return something. Thanks, Jason Woods
signature.asc
Description: Message signed with OpenPGP using GPGMail
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
