> On 30 Jun 2015, at 17:29, Alexander Bokovoy <aboko...@redhat.com> wrote:
> ----- Original Message -----
>> If I load the keytab for Samba: kinit -t /etc/samba/samba.keytab
>> cifs/ipa02.XXX@XXX
>> Then run the query using GSSAPI - I get no results!
>> [...]
>> Even stranger, if I split the OR filter and only run the group part, but
>> still running through GSSAPI - it is successful!
>> [...]
>> Any ideas what might be happening here?
>> I’ve read something about non-existent attributes can mess with OR queries.
>> But I can’t understand why it would only affect the GSSAPI authenticated
>> user.
> This is definitely an issue with ACLs or NACLPlugin.
> Regarding LDAPI+root and GSSAPI -- the first one maps to cn=Directory 
> Manager, the second one maps to a specific DN.
> When you are cn=Directory Manager, no ACLs apply to you, so the result is 
> expected.
> --
> / Alexander Bokovoy

I thought it might be.

However, the fact that the query works fine without the OR - does that not 
indicate otherwise? Surely permissions would impact both?

To summarise, when using GSSAPI with specific DN, the following returns nothing:
> (|(&(gidNumber=543800010)(objectClass=ipaNTGroupAttrs))(&(uidNumber=543800010)(objectClass=posixAccount)))

The following returns one result:
> (&(gidNumber=543800010)(objectClass=ipaNTGroupAttrs))

My understanding would be if it were permissions, both would return nothing.
I’ve even tried the uidNumber part with a valid uid and it does actually return 


Jason Woods

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to