[Samba] LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?
Kees van Vloten
keesvanvloten at gmail.com
Mon Nov 6 09:36:51 UTC 2023
Op 05-11-2023 om 23:25 schreef Jonathan Hunter via samba:
> I'm quite confused by this one, as I can't see how this would happen..
> but after upgrading my DCs from 4.11.10 to 4.18.5, LDAP searches don't
> seem to work if they use the :1.2.840.113556.1.4.1941: modifier, aka
> LDAP_MATCHING_RULE_IN_CHAIN. (Yes, it was a fairly big version jump..
> Yes, I should have upgraded much earlier.. Yes, I know 4.19.x is out
> now as well)
>
> Here's a search that now returns nothing after my DC upgrades; this
> exact search used to work just fine:
> (&
> (objectCategory=Person)
> (sAMAccountName=*)
> (memberOf:1.2.840.113556.1.4.1941:=CN=somegroup,OU=someou,DC=mydomain,DC=org)
> )
>
> But if I remove the matching rule specifier, it does return a number of results:
> (&
> (objectCategory=Person)
> (sAMAccountName=*)
> (memberOf=CN=somegroup,OU=someou,DC=mydomain,DC=org)
> )
>
> The data in my AD hasn't changed; I am guessing that
> LDAP_MATCHING_RULE_IN_CHAIN is still supported in 4.18 and most likely
> something didn't quite go perfectly to plan during the upgrade of my
> DCs.
>
> Looking at a sample user object, I can see the group listed in the
> user's memberOf attribute (i.e. the user is a direct member of the
> group) - so I'm not sure why a search using
> LDAP_MATCHING_RULE_IN_CHAIN simply returns no results now.
I am currently running at 4.19.2 but I have run 4.18.6 and 4.18.5. I did
not experience any issues with nested group lookups, which many of the
filters rely on.
To query a user's nested groups I use this little script (on the DCs):
#!/bin/bash
if [[ $# -lt 1 ]]; then
echo "Usage: $0 <ldap_object>"
echo " ldap_object name of a computer, user or group"
exit 1
fi
OBJECT=$1
BASE_DN="DC=$(dnsdomainname | sed 's/\./,DC=/g')"
# Use UID instead of sAMAccountName because it does not have the $
ending for computer accounts
OBJECT_DN="$(ldbsearch -H /var/lib/samba/private/sam.ldb -b "${BASE_DN}"
"(|(CN=${OBJECT})(UID=${OBJECT}))" 2> /dev/null |
grep 'dn:' | cut -d ' ' -f 2-)"
#echo "Object DN: ${OBJECT_DN}"
#echo "Nested group memberships:"
ldbsearch -H /var/lib/samba/private/sam.ldb -b "${BASE_DN}" \
"(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=${OBJECT_DN}))"
cn 2> /dev/null |
grep 'cn:' | cut -d ' ' -f 2- | sort
And the reverse to get all users in a nested group:
#!/bin/bash
if [[ $# -lt 1 ]]; then
echo "Usage: $0 <ldap_object>"
echo " ldap_object name of group"
exit 1
fi
OBJECT=$1
BASE_DN="DC=$(dnsdomainname | sed 's/\./,DC=/g')"
# Use UID instead of sAMAccountName because it does not have the $
ending for computer accounts
OBJECT_DN="$(ldbsearch -H /var/lib/samba/private/sam.ldb -b "${BASE_DN}"
"(|(CN=${OBJECT})(UID=${OBJECT}))" 2> /dev/null |
grep 'dn:' | cut -d ' ' -f 2-)"
#echo "Object DN: ${OBJECT_DN}"
#echo "Nested group memberships:"
ldbsearch -H /var/lib/samba/private/sam.ldb -b "${BASE_DN}" \
"(&(objectCategory=person)(memberof:1.2.840.113556.1.4.1941:=${OBJECT_DN}))"
2> /dev/null |
grep 'cn:' | cut -d ' ' -f 2- | sort
And although the script uses ldbsearch locally on the DC, many
applications use similar queries over the wire.
If it does not show the desired output for you, it may be worth looking
at configuration differences, because I had and have no issues
whatsoever with this functionality.
- Kees.
>
> Are there any indexes or internal values I could check, to see if I
> can debug this any further? A 'samba-tool dbcheck --cross-ncs' didn't
> reveal anything, but I'm not sure of the best way to investigate this
> one further.
>
> Thanks for any pointers,
>
> Cheers
>
> Jonathan
>
More information about the samba
mailing list