[Samba] Strange behaviour with LDAP searches

Rowland Penny rowlandpenny241155 at gmail.com
Wed Aug 26 10:24:56 UTC 2015 

On 26/08/15 10:23, Heiko Wundram wrote:
> Hey,
>
> Am 26.08.2015 11:09, schrieb L.P.H. van Belle:
>> ah, ok, yes, i didnt look to good at the filters.
>>
>> I was thinking the "Machine Account" was an OU
>> but whats strange also, why is that machine account in the "user", and
>> not in "Computers"
>> i dont have any "computer" in the users OU.
>
> the "machine account" is a regular user that I created for non-joined 
> "machines/services" to access AD directory information. I.e., it's a 
> mostly unprivileged user (in cn=Users) that simply allows bind access 
> to the directory for queries from external services such as nslcd - 
> and in this specific case also Redmine (for group synchronization from 
> AD).
>
> What I'm slightly worried about is that the OR-query should, from what 
> I know about LDAP filters, return two results, as both groups exist, 
> and just using the query
>
> (|(distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc=org)
> (distinguishedName=cn=Guests,cn=Builtin,dc=id,dc=modelnine,dc=org))
>
> -> 2 results
>
> does return both groups. What breaks the search is AND-ing this query 
> with the requirement that the returned objects have one of the 
> specified dns and also (objectClass=group): this search returns no 
> results:
>
> (&(objectClass=group)
> (|(distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc=org)
> (distinguishedName=cn=Guests,cn=Builtin,dc=id,dc=modelnine,dc=org)))
>
> -> 0 results
>
> What does return a (single) result (as it should) is asking for a 
> single group with (objectClass=group) and a DN:
>
> (&(objectClass=group)
> (distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc=org))
>
> -> 1 result
>
> I'm more than sure that the combined query "works" (returns two 
> results) with a vanilla Debian Jessie Samba 4 installation 

It doesn't work for me on Debian wheezy with samba from backports: 
4.1.17-Debian

Rowland

> (as I've had Redmine pull the groups for users from AD for quite some 
> time) and I'm trying to recreate that now; it does not work anymore 
> after upgrading the system to a Sernet Samba 4.2.3, and neither does 
> it work against the Gentoo Samba 4.1.19 I have running on the system I 
> posted the queries from.
>
> As Redmine uses a query of the form 
> (&(objectClass=group)(|(distinguishedName=group1)(distinguishedName=group2)(distinguishedName=group3)(...))) 
> resolve the memberOf-elements of a user (replacing group1, etc. with 
> an OR-join of the DNs), and this does not return any elements, Redmine 
> currently does not assign _any_ groups to users retrieved from AD, 
> which is a show-stopper.
>
> Does this clear up better what the problem is?
>

More information about the samba mailing list