----- Original Message ----- > > > On 30 Jun 2015, at 17:29, Alexander Bokovoy <aboko...@redhat.com> wrote: > > > > ----- Original Message ----- > >> If I load the keytab for Samba: kinit -t /etc/samba/samba.keytab > >> cifs/ipa02.XXX@XXX > >> Then run the query using GSSAPI - I get no results! > >> > >> [...] > >> > >> Even stranger, if I split the OR filter and only run the group part, but > >> still running through GSSAPI - it is successful! > >> > >> [...] > >> > >> Any ideas what might be happening here? > >> I’ve read something about non-existent attributes can mess with OR > >> queries. > >> But I can’t understand why it would only affect the GSSAPI authenticated > >> user. > > This is definitely an issue with ACLs or NACLPlugin. > > > > Regarding LDAPI+root and GSSAPI -- the first one maps to cn=Directory > > Manager, the second one maps to a specific DN. > > When you are cn=Directory Manager, no ACLs apply to you, so the result is > > expected. > > I thought it might be. > > However, the fact that the query works fine without the OR - does that not > indicate otherwise? Surely permissions would impact both? > > To summarise, when using GSSAPI with specific DN, the following returns > nothing: > > (|(&(gidNumber=543800010)(objectClass=ipaNTGroupAttrs))(&(uidNumber=543800010)(objectClass=posixAccount))) > > The following returns one result: > > (&(gidNumber=543800010)(objectClass=ipaNTGroupAttrs)) > > My understanding would be if it were permissions, both would return nothing. > I’ve even tried the uidNumber part with a valid uid and it does actually > return something. That's why I'm saying it might be an issue in NACLPlugin. Can you please file a bug about it? -- / Alexander Bokovoy
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project