[PATCH] samba-tool group show
Alexander Bokovoy
ab at samba.org
Thu Apr 2 10:09:33 UTC 2020
On to, 02 huhti 2020, Björn Baumbach via samba-technical wrote:
> Hi Rowland,
>
> On 4/2/20 10:44 AM, Rowland penny via samba-technical wrote:
> > Hi, <samba-tool group show 'groupname'> will only show the groups info
> > if it is a global security group.
> >
> > The attached patch fixes this.
> >
> > See bug: https://bugzilla.samba.org/show_bug.cgi?id=14335
>
> Thank you for fixing this!
> I wonder about the use of "objectCategory=group". I would expect the use
> of "objectClass=group" instead. But I tried the patch and it works - I
> did not try to understand why, yet. The objectCategory looks like
> "objectCategory: CN=Group,CN=Schema,CN=Configuration,..."
objectCategory is one of several special attributes in Active Directory
that allow several formats for searches. objectCategory allows both RDN
value and DN-based searches while being itself a DN.
This is documented in MS-ADTS 3.1.1.3.1.3.5:
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e1c068a5-eb1d-4f62-ab3b-81218472cb57
> I checked the samba-tool code and see that we typically use the
> objectClass attribute.
> Is there a special reason for the use of "objectCategory"?
>
> If "objectClass" is also fine, I would adapt the patch, add my RB and
> push it.
This is covered in https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx#Filter_on_objectCategory_and_objectClass
For groups there is not much difference but since objectCategory is
both single-valued and indexed, query with objectCategory will be more
efficient in AD DS.
--
/ Alexander Bokovoy
More information about the samba-technical
mailing list