[Samba] LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?
Jonathan Hunter
jmhunter1 at gmail.com
Mon Nov 6 13:58:40 UTC 2023
Thank you Kees.
On Mon, 6 Nov 2023 at 09:37, Kees van Vloten via samba
<samba at lists.samba.org> wrote:
> I am currently running at 4.19.2 but I have run 4.18.6 and 4.18.5. I did
> not experience any issues with nested group lookups, which many of the
> filters rely on.
Interestingly, I've now found that (on my current DCs, running
4.18.5), ldbsearch *does* seem to return the expected result, but the
same query via ldapsearch does not.
dc2$ sudo ldbsearch -H /usr/local/samba/private/sam.ldb
"(&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=CN=somegroup,OU=
someou,DC=mydomain,DC=org))" samAccountName
# Record 1
[...]
# record 39
dn: CN=A User,OU=Users,OU=someou,DC=mydomain,DC=org
sAMAccountName: auser
# Referral
[...]
# returned 42 records
# 39 entries
# 3 referrals
whereas no results are returned for the same query run via ldapsearch,
even running the search as the domain administrator.
dc2$ ldapsearch -H ldaps://dc2.mydomain.org -x -W -D
Administrator at mydomain -b "dc=mydomain,dc=org"
"(&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=CN=somegroup,OU=someou,DC=mydomain,DC=org))"
samAccountName
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=mydomain,dc=org> with scope subtree
# filter: (&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=CN=somegroup,OU=someou,DC=mydomain,DC=org)
# requesting: samAccountName
#
# search reference
[...]
# search result
search: 2
result: 0 Success
# numResponses: 4
# numReferences: 3
> And although the script uses ldbsearch locally on the DC, many
> applications use similar queries over the wire.
>
> If it does not show the desired output for you, it may be worth looking
> at configuration differences, because I had and have no issues
> whatsoever with this functionality.
Thanks, it's good to know that it does work for others, at least.
There is undoubtedly something about my configuration that is
different from others; I don't know if it's having members of groups
from different OUs across the domain, or perhaps permissions that have
been set over the years delegating ownership of different OUs, etc..
but it's interesting that I am seeing different behaviour between
ldbsearch and ldapsearch now.
(Andrew - I'm wondering if I can script startup of samba in docker
containers after restoring from a domain backup, that I could call
from git bisect. Do you know if anyone has scripts to do that sort of
thing already? It's not impossible for me to create, of course, but
it's always better to use an existing working script if there is one.
So far, my git bisect calls a script that compiles each samba version
and runs ldbsearch, checking for number of results returned; but based
on the above findings that's always going to succeed, so I think I
will need to switch to ldapsearch instead)
Cheers
Jonathan
More information about the samba
mailing list