[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL caused uidNumber=â4294967295 ?



Hi,I got weird problem with ldap & samba &sssd。

 pdbedit -L showed all users having the same uid (4294967295)

ACL :

[root@rhel6 slapd.d]# grep -ir "olcAccess" .
./cn=config/olcDatabase={2}monitor.ldif:olcAccess: {0}to *  by dn.base="cn=manager,dc=my-domain,dc=com" read  by * none
./cn=config/olcDatabase={0}config.ldif:olcAccess: {0}to *  by * none
./cn=config/olcDatabase={1}bdb.ldif:olcAccess: to * by * read by self write

 

More specification below:

 --------------------------------------------------------------------------------------------------------------------------------------------------------

[root@rhel6 cn=config]# pdbedit -L
testsmb:4294967295:testsmb              <sometimes, the user testsmb has correct uid 503, I don't know why>
test2:4294967295:test2
test3:4294967295:test3

 

[root@rhel6 ~]# getent -s sss passwd
example:*:9999:9999::/home/example:/bin/sh

<sometimes,we can get user testsmb here>

 

[root@rhel6 cn=config]# ldapsearch -x -D "cn=root,dc=rhel6,dc=ldaptest,dc=com" -W

........

# testsmb, rhel6.ldaptest.com
dn: uid=testsmb,dc=rhel6,dc=ldaptest,dc=com
cn: testsmb
uid: testsmb
uidNumber: 503
loginShell: /bin/bash
homeDirectory: /home/testsmb
gidNumber: 500
userPassword:: e2NyeXB0fUFPblQvYkJsbEJTWFk=
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
objectClass: sambaSamAccount
sambaPwdLastSet: 1308553125
sambaPwdCanChange: 1308553125
sambaNTPassword: 1D82374AB98BB16761B9A4F90441E201
sambaLMPassword: 67E272A0267766A117306D272A9441BB
sambaPrimaryGroupSID: 2001
sambaAcctFlags: [U          ]
shadowLastChange: 15145
gecos: testsmb
sn: testsmb
sambaSID: S-1-5-21-423381952-115127825-699677302-1004

 

# test2, rhel6.ldaptest.com
Dn: uid=test2,dc=rhel6,dc=ldaptest,dc=com
cn: test2
uid: test2
uidNumber: 504
loginShell: /bin/bash
homeDirectory: /home/test2
gidNumber: 500
userPassword:: e2NyeXB0fVhSbXVGQUd2cHMublE=
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
objectClass: sambaSamAccount
sambaPwdLastSet: 1308557836
sambaPwdCanChange: 1308557836
sambaNTPassword: 1D82374AB98BB16761B9A4F90441E201
sambaLMPassword: 67E272A0267766A117306D272A9441BB
sambaPrimaryGroupSID: 2001
sambaAcctFlags: [U          ]
shadowLastChange: 15145
gecos: test2
sn: test2
sambaSID: S-1-5-21-423381952-115127825-699677302-1005
 
 
# example, rhel6.ldaptest.com
dn: uid=example,dc=rhel6,dc=ldaptest,dc=com
cn: Example user
sn: Example user
uid: example
uidNumber: 9999
gidNumber: 9999
loginShell: /bin/sh
homeDirectory: /home/example
objectClass: posixAccount
objectClass: person
userPassword:: KkxLKg==
 

smb.conf

        security = user
        passdb backend = ldapsam:ldap://rhel6.ldaptest.com
        ldap admin dn = "cn=root,dc=rhel6,dc=ldaptest,dc=com"
        ldap suffix = dc=rhel6,dc=ldaptest,dc=com
        ldap group suffix = ou=Groups
        ldap machine suffix = ou=Computers
        ldap idmap suffix = ou=Idmap
        ldap ssl = start tls
        ldap passwd sync = yes
 

Debug info show below

slapd debug acl

 ------------------------------------------------------------------------------------------------------------------------------------

[root@rhel6 ~]# service slapd start
Starting slapd: @(#) $OpenLDAP: slapd 2.4.19 (Jun 30 2010 03:56:07) $
        mockbuild@x86-003.build.bos.redhat.com:/builddir/build/BUILD/openldap-2.4.19/openldap-2.4.19/build-servers/servers/slapd
=> access_allowed: search access to "cn=config" "objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "cn=schema,cn=config" "objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "cn={0}corba,cn=schema,cn=config" "objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "cn={1}core,cn=schema,cn=config" "objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "cn={2}cosine,cn=schema,cn=config" "objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "cn={3}duaconf,cn=schema,cn=config" "objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "cn={4}dyngroup,cn=schema,cn=config" "objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "cn={5}inetorgperson,cn=schema,cn=config" "objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "cn={6}java,cn=schema,cn=config" "objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "cn={7}misc,cn=schema,cn=config" "objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "cn={8}nis,cn=schema,cn=config" "objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "cn={9}openldap,cn=schema,cn=config" "objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "cn={10}ppolicy,cn=schema,cn=config" "objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "cn={11}collective,cn=schema,cn=config" "objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "cn={12}samba,cn=schema,cn=config" "objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "olcDatabase={-1}frontend,cn=config" "objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "olcDatabase={0}config,cn=config" "objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
Backend ACL: access to *
        by * none

/etc/openldap/slapd.d: line 1: warning: cannot assess the validity of the ACL scope within backend naming context
=> access_allowed: search access to "olcDatabase={1}bdb,cn=config" "objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
Backend ACL: access to *
        by * read
        by self write

/etc/openldap/slapd.d: line 1: warning: cannot assess the validity of the ACL scope within backend naming context
=> access_allowed: search access to "olcDatabase={2}monitor,cn=config" "objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
Backend ACL: access to *
        by dn.base="cn=manager,dc=my-domain,dc=com" read
        by * none

/etc/openldap/slapd.d: line 1: warning: cannot assess the validity of the ACL scope within backend naming context
slapd starting

 

 

debug info for " su - test2"

sssd debug info
-------------------------------------------------------------------------------------------------------------------------------------------------------------

(Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [sdap_parse_entry] (9): OriginalDN: [uid=test2,dc=rhel6,dc=ldaptest,dc=com].
(Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [sdap_process_result] (8): Trace: sh[0x9e08488], connected[1], ops[0x9ea1b10], ldap[0x9e08540]
(Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [sdap_get_generic_done] (6): Search result: Success(0), (null)
(Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [sdap_get_users_process] (6): Search for users, returned 1 results.
(Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [sdap_process_result] (8): Trace: sh[0x9e08488], connected[1], ops[(nil)], ldap[0x9e08540]
(Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [sdap_process_result] (8): Trace: ldap_result found nothing!
(Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [ldb] (9): start ldb transaction (nesting: 0)
(Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [sdap_save_user_send] (9): Save user
(Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [sdap_save_user_send] (2): User [test2] filtered out! (id out of range)
(Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [sdap_save_users_process] (2): Failed to store user 0. Ignoring.
(Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [ldb] (9): commit ldb transaction (nesting: 0)
(Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [sdap_get_users_done] (9): Saving 1 Users - Done
(Tue Jun 21 11:02:48 2011) [sssd[nss]] [sbus_remove_timeout] (8): 0x9dcde28
(Tue Jun 21 11:02:48 2011) [sssd[nss]] [sbus_dispatch] (9): dbus conn: 9DCDF38
(Tue Jun 21 11:02:48 2011) [sssd[nss]] [sbus_dispatch] (9): Dispatching.
(Tue Jun 21 11:02:48 2011) [sssd[nss]] [sss_dp_get_reply] (4): Got reply (0, 0, Success) from Data Provider
(Tue Jun 21 11:02:48 2011) [sssd[nss]] [nss_cmd_getpwnam_callback] (2): No matching domain found for [test2], fail!
(Tue Jun 21 11:02:48 2011) [sssd[nss]] [nss_cmd_getpwnam_callback] (2): No results for getpwnam call
(Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [acctinfo_callback] (4): Request processed. Returned 0,0,Success

 

slapd debug info
-----------------------------------------------------------------------------------------------------------------------------------------------------------------

=> acl_mask: access to entry "dc=rhel6,dc=ldaptest,dc=com", attr "entry" requested
=> acl_mask: to all values by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> slap_access_allowed: search access granted by read(=rscxd)
=> access_allowed: search access granted by read(=rscxd)
=> access_allowed: search access to "dc=rhel6,dc=ldaptest,dc=com" "entry" requested
=> acl_get: [1] attr entry
=> acl_mask: access to entry "dc=rhel6,dc=ldaptest,dc=com", attr "entry" requested
=> acl_mask: to all values by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> slap_access_allowed: search access granted by read(=rscxd)
=> access_allowed: search access granted by read(=rscxd)
=> access_allowed: search access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com" "uid" requested
=> acl_get: [1] attr uid
=> acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr "uid" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> slap_access_allowed: search access granted by read(=rscxd)
=> access_allowed: search access granted by read(=rscxd)
=> access_allowed: search access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com" "objectClass" requested
=> acl_get: [1] attr objectClass
=> acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr "objectClass" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> slap_access_allowed: search access granted by read(=rscxd)
=> access_allowed: search access granted by read(=rscxd)
=> access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com" "entry" requested
=> acl_get: [1] attr entry
=> acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr "entry" requested
=> acl_mask: to all values by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> slap_access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
=> access_allowed: result not in cache (cn)
=> access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com" "cn" requested
=> acl_get: [1] attr cn
=> acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr "cn" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> slap_access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
=> access_allowed: result not in cache (uid)
=> access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com" "uid" requested
=> acl_get: [1] attr uid
=> acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr "uid" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> slap_access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
=> access_allowed: result not in cache (uidNumber)
=> access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com" "uidNumber" requested
=> acl_get: [1] attr uidNumber
=> acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr "uidNumber" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> slap_access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
=> access_allowed: result not in cache (loginShell)
=> access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com" "loginShell" requested
=> acl_get: [1] attr loginShell
=> acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr "loginShell" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> slap_access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
=> access_allowed: result not in cache (homeDirectory)
=> access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com" "homeDirectory" requested
=> acl_get: [1] attr homeDirectory
=> acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr "homeDirectory" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> slap_access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
=> access_allowed: result not in cache (gidNumber)
=> access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com" "gidNumber" requested
=> acl_get: [1] attr gidNumber
=> acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr "gidNumber" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> slap_access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
=> access_allowed: result not in cache (userPassword)
=> access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com" "userPassword" requested
=> acl_get: [1] attr userPassword
=> acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr "userPassword" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> slap_access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
=> access_allowed: result not in cache (objectClass)
=> access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com" "objectClass" requested
=> acl_get: [1] attr objectClass
=> acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr "objectClass" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> slap_access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
=> access_allowed: result was in cache (objectClass)
=> access_allowed: result was in cache (objectClass)
=> access_allowed: result was in cache (objectClass)
=> access_allowed: result not in cache (shadowLastChange)
=> access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com" "shadowLastChange" requested
=> acl_get: [1] attr shadowLastChange
=> acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr "shadowLastChange" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> slap_access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
=> access_allowed: result not in cache (gecos)
=> access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com" "gecos" requested
=> acl_get: [1] attr gecos
=> acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr "gecos" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> slap_access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
=> access_allowed: result not in cache (modifyTimestamp)
=> access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com" "modifyTimestamp" requested
=> acl_get: [1] attr modifyTimestamp
=> acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr "modifyTimestamp" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> slap_access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)