On 28 December 2012 05:43, Andrew Bartlett <[email protected]> wrote: >> $ sudo samba-tool ldapcmp ldap://windowsdc.exampledn.com >> ldap://samba4dc.exampledn.com domain --base='CN=ExampleFirstName >> ExampleSecondName,OU=OU,DC=exampledn,DC=com' >> --base2='CN=ExampleFirstName >> ExampleSecondName,OU=OU,DC=exampledn,DC=com' > > What username did you use (administrator or another user) to > authenticate in this case? > We have an outstanding issue where the read ACL is applied incorrectly > for non-administrator users, and I need to understand why that is.
Ah you are correct. In the ldapcmp case I had authenticated as a regular user, but in the ldapsearch I had authenticated as administrator. If I modify my ldapcmp command to authenticate as the administrator the comparison passes successfully with all attributes being found in both DCs. So as you presumed it appears to be a minor discrepancy between the attributes that a Windows DC hides from non-Administrators, and those that a Samba4 DC hides. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
