[Samba] Samba4 LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN

Felix Zachlod fz.lists at sis-gmbh.info
Mon Mar 10 02:20:23 MDT 2014

Hello list,

we are currently trying to authenticate and authorize users against a
Samba4.1 AD domain controller. It has turned out that samba seems not to
support extended rule 1.2.840.113556.1.4.1941 which allows to query for
transitive group memberships. E.g. group a is member of group b and user c
is member of group b. I want to know if user c is member of group a, which
he is transitively but not directly. According to the Microsoft
documentation this can be queried using the ldap extended rule
1.2.840.113556.1.4.1941 but when doing an ldap search on a Samba4 DC with
this rule it simply returns an empty result. Using ldbsearch i get

ldb: unknown extended rule_id 1.2.840.113556.1.4.1941

I currently run

sernet-samba-ad                    99:4.1.4-7

on debian wheezy

Is this going tob e fixed? Is there another possibility to check nested
group membership from ldap without iterating over all groups in the code of
our application?

Thank you all in advance,

regards, Felix

More information about the samba mailing list