[Samba] Ldapsearch against Samba AD returns records outside the search base

[Palle Kuling]

Hi,

I noticed the following problem with records returned outside the search 
base when the query is run against a Samba DC, but when the same query 
is run against a Windows 2008 or 2012 DC it does not happen. I'm pretty 
sure it worked correctly in the past. I updated from Samba 4.9.4 to 
4.11.4 in December, but I noticed it only today, and I no longer have a 
backup of the old installation to verify. I tried building versions 
4.11.5 and 4.11.6 against the same database, but they all behave in the 
same way. Am I missing some config option, or is it a bug? These kinds 
of queries are used to check if an account exists in a certain OU, so I 
would not want the DC:s to behave differently for the same query.

This is how it looks when I run a query (I redacted the domain and 
account names a bit):

ldapsearch -D username at internal.xxx.yy -w password -H ldaps://<samba DC> 
-s one -b ou=business,dc=internal,dc=xxx,dc=yy samaccountname=testadmin
# extended LDIF
#
# LDAPv3
# base <ou=business,dc=internal,dc=xxx,dc=yy> with scope oneLevel
# filter: samaccountname=testadmin
# requesting: ALL
#

# Test Admin, Test, internal.xxx.yy
dn: CN=Test Admin,OU=Test,DC=internal,DC=xxx,DC=yy
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Test Admin
<snip>
distinguishedName: CN=Test Admin,OU=Test,DC=internal,DC=xxx,DC=yy

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

I would want results only from OU=Business, but the response comes from 
OU=Test. If I run the same query against one of the Windows DC:s, they 
return the answer I want (=no record):

ldapsearch -D username at internal.xxx.yy -w password -H ldaps://<windows 
DC> -s one -b ou=business,dc=internal,dc=xxx,dc=yy 
samaccountname=testadmin
# extended LDIF
#
# LDAPv3
# base <ou=business,dc=internal,dc=iceye,dc=fi> with scope oneLevel
# filter: samaccountname=testadmin
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1

If the search base is replaced with -b ou=test,dc=internal,dc=xxx,dc=yy, 
both Samba and Windows return the same answer record. An ldapcmp between 
the Samba and Windows DC:s show no other differences than the Windows 
DC:s sometimes having more attributes listed (like WHENCREATED and 
INSTANCETYPE), but it was always like this. Also samba-tool drs showrepl 
shows no errors, so all DC:s should have the same data.

Regards,
-P