[Samba] LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?
Jonathan Hunter
jmhunter1 at gmail.com
Fri Nov 10 16:02:19 UTC 2023
One small point to add below regarding permissions - the query still
fails even if I run it as Administrator.
On Fri, 10 Nov 2023 at 15:50, Jonathan Hunter <jmhunter1 at gmail.com> wrote:
> Whilst I have no expectation that my test script is efficient or
> optimal in any way, I couldn't see an existing guide on the samba wiki
> so I created a page that should hopefully help others, using my script
> as an initial example
(For anyone else looking for this page - it's not yet live as it needs
approval since it contains external links)
> > OK, so it most likely the permissions handling.
> >
> > If your automated bisect becomes a pain, or you want to debug in the
> > traditional way, look into permissions and ensure your connecting user
> > can see all the way down the chain, and check if specifying the matched
> > attribute helps.
I'm was running the query from a DC on the commandline as the domain
Administrator user. Whilst I do have at least one OU in the domain
where permissions are locked down (a few years back I think I did set
custom permissions so that only specific groups can access this), the
group being queried is not in this part of the tree.
It is possible that some of the group members also have access to the
locked-down section of the tree though; I wonder if that has any
bearing on things..
More information about the samba
mailing list