[Samba] LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?

Andrew Bartlett abartlet at samba.org
Sun Nov 5 23:03:20 UTC 2023 

We had to do a few changes in this area (due to security issues) over
that large number of releases, it is entirely possible there was a
regression. 

If you have time and patience, could you back up your DC, restore into
a subdirectory (on your DC or on a test box) with 4.11.10 from git, and
then do a git bisect between that and 4.18.5.

You can run the query locally with bin/ldbsearch -H /path/to/sam.ldb
from the build tree.

You won't need to install Samba, nor start it, ldbsearch should be
enough.

If a local ldbsearch passes on 4.18.5 but it fails over LDAP, that is
also a useful data point.

Andrew Bartlett

On Sun, 2023-11-05 at 22:25 +0000, Jonathan Hunter via samba wrote:
> I'm quite confused by this one, as I can't see how this would
> happen..
> but after upgrading my DCs from 4.11.10 to 4.18.5, LDAP searches
> don't
> seem to work if they use the :1.2.840.113556.1.4.1941: modifier, aka
> LDAP_MATCHING_RULE_IN_CHAIN. (Yes, it was a fairly big version jump..
> Yes, I should have upgraded much earlier.. Yes, I know 4.19.x is out
> now as well)
> 
> Here's a search that now returns nothing after my DC upgrades; this
> exact search used to work just fine:
> (&
>     (objectCategory=Person)
>     (sAMAccountName=*)
>     (memberOf:1.2.840.113556.1.4.1941:=CN=somegroup,OU=someou,DC=mydo
> main,DC=org)
> )
> 
> But if I remove the matching rule specifier, it does return a number
> of results:
> (&
>     (objectCategory=Person)
>     (sAMAccountName=*)
>     (memberOf=CN=somegroup,OU=someou,DC=mydomain,DC=org)
> )
> 
> The data in my AD hasn't changed; I am guessing that
> LDAP_MATCHING_RULE_IN_CHAIN is still supported in 4.18 and most
> likely
> something didn't quite go perfectly to plan during the upgrade of my
> DCs.
> 
> Looking at a sample user object, I can see the group listed in the
> user's memberOf attribute (i.e. the user is a direct member of the
> group) - so I'm not sure why a search using
> LDAP_MATCHING_RULE_IN_CHAIN simply returns no results now.
> 
> Are there any indexes or internal values I could check, to see if I
> can debug this any further? A 'samba-tool dbcheck --cross-ncs' didn't
> reveal anything, but I'm not sure of the best way to investigate this
> one further.
> 
> Thanks for any pointers,
> 
> Cheers
> 
> Jonathan
> 
> -- 
> "If we knew what it was we were doing, it would not be called
> research, would it?"
>       - Albert Einstein
> 
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions

More information about the samba mailing list