On Fri, 2012-12-28 at 12:24 +0100, Dominic Evans wrote: > On 28 December 2012 05:43, Andrew Bartlett <[email protected]> wrote: > >> $ sudo samba-tool ldapcmp ldap://windowsdc.exampledn.com > >> ldap://samba4dc.exampledn.com domain --base='CN=ExampleFirstName > >> ExampleSecondName,OU=OU,DC=exampledn,DC=com' > >> --base2='CN=ExampleFirstName > >> ExampleSecondName,OU=OU,DC=exampledn,DC=com' > > > > What username did you use (administrator or another user) to > > authenticate in this case? > > We have an outstanding issue where the read ACL is applied incorrectly > > for non-administrator users, and I need to understand why that is. > > Ah you are correct. In the ldapcmp case I had authenticated as a > regular user, but in the ldapsearch I had authenticated as > administrator. If I modify my ldapcmp command to authenticate as the > administrator the comparison passes successfully with all attributes > being found in both DCs. So as you presumed it appears to be a minor > discrepancy between the attributes that a Windows DC hides from > non-Administrators, and those that a Samba4 DC hides.
In many ways the issue isn't minor, it is actually quite major. But is is helpful to know that there isn't an additional issue. I'm working on the ACL issue, and have a lead, so we should have this fixed in the next few days. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
