[Samba] Ldapsearch against Samba AD returns records outside the search base

Rowland penny rpenny at samba.org
Mon Feb 3 17:31:08 UTC 2020 

On 03/02/2020 16:17, Palle Kuling via samba wrote:
> Hello,
>
> I did some detective work here, stepping through all the versions from 
> the old 4.9.4 database onwards, building them from source on an 
> isolated system and doing ldapsearch against them. It is the change 
> from 4.10.13 to 4.11.0 (or maybe in general from pre-4.11 to 4.11?) 
> that breaks it; after that the onelevel scope is not applied correctly.
>
> Ldbsearch also returns wrong results when used with your commands (it 
> took me a while to figure out that I needed "tls verify peer = 
> no_check" and "ldap server require strong auth = no" to be able to run 
> the query):
>
> samba-4.11.0$ /usr/local/samba/bin/ldbsearch -H ldaps://dc01 -s one -b 
> ou=business,dc=internal,dc=xxx,dc=yy samaccountname=testadmin -Uusername
> Password for [XXX\username]:
> # record 1
> dn: CN=Test Admin,OU=Test,DC=internal,DC=xxx,DC=yy
> <snip>
> distinguishedName: CN=Test Admin,OU=Test,DC=internal,DC=xxx,DC=yy
>
> # returned 1 records
> # 1 entries
> # 0 referrals
>
>
> samba-4.11.0$ sudo /usr/local/samba/bin/ldbsearch -H 
> ldb:///usr/local/samba/private/sam.ldb -s one -b 
> ou=business,dc=internal,dc=xxx,dc=yy samaccountname=testadmin -Uusername
> # record 1
> dn: CN=Test Admin,OU=Test,DC=internal,DC=xxx,DC=yy
> <snip>
> distinguishedName: CN=Test Admin,OU=Test,DC=internal,DC=xxx,DC=yy
>
> # returned 1 records
> # 1 entries
> # 0 referrals
>
>
> Also, it seems that I was wrong about ldbsearch directly against the 
> backend DB working - it is simply because I forgot to use the "one" 
> scope, which seems to be the culprit here:
>
> /usr/local/samba/private/sam.ldb.d# ldbsearch -H 
> DC\=INTERNAL\,DC\=XXX\,DC\=YY.ldb -b 
> ou=business,dc=internal,dc=xxx,dc=yy samaccountname=testadmin
> # returned 0 records
> # 0 entries
> # 0 referrals
>
> /usr/local/samba/private/sam.ldb.d# ldbsearch -H 
> DC\=INTERNAL\,DC\=XXX\,DC\=YY.ldb -s one -b 
> ou=business,dc=internal,dc=xxx,dc=yy samaccountname=testadmin
> # record 1
> dn: CN=Test Admin,OU=Test,DC=internal,DC=xxx,DC=yy
> <snip>
> distinguishedName: CN=Test Admin,OU=Test,DC=internal,DC=xxx,DC=yy
>
> # returned 1 records
> # 1 entries
> # 0 referrals
>
> In order to test whether it happens on a joined DC or not, I need to 
> spin off some isolated test VM:s, so I'd have to come back on that in 
> a few days.
>
> Regards,
> -P

This is where I differ from you, using your search command from your 
original post (altered for my domain), I always get the expected result. 
I have tested this on a few Samba versions, all of them from Louis's repo.

Rowland

More information about the samba mailing list