[Samba] Samba 4.1.6 (Ubuntu 14.04) ldapsearch memberof

Andrey ‪ andrew_dev at hotmail.com
Sun Nov 23 17:19:52 MST 2014

Hi everyone,

I recently installed Samba 4.1.6 on Ubuntu Server 14.04.01 LTS.
My provision was:

samba-tool domain provision \--realm=DOT.LAN \--domain=DOT 
\--adminpass='Pa77w0rd' \--dns-backend=SAMBA_INTERNAL \--server-role=dc 
\--use-xattr=yes \--use-rfc2307  \--function-level=2008_R2 \--use-ntvfs

All required steps and tests according samba wiki are completed 

When I do following query I am getting right answer  too:

ldapsearch -h srv10.dot.lan -x -LLL -D Administrator at dot.lan -W -b 
"dc=dot,dc=lan" "(&(CN=*)(memberOf=CN=Domain 
Enter LDAP Password:
dn: CN=Administrator,CN=Users,DC=dot,DC=lan
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Administrator
description: Built-in account for administering the computer/domain
instanceType: 4
whenCreated: 20141118230145.0Z
whenChanged: 20141118230145.0Z
uSNCreated: 3545
uSNChanged: 3545
name: Administrator
objectGUID:: 231tfDn2Hk2oKoILIg4Ubw==
userAccountControl: 512
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 130608253050000000
primaryGroupID: 513
adminCount: 1
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: Administrator
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=dot,DC=lan
isCriticalSystemObject: TRUE
memberOf: CN=Administrators,CN=Builtin,DC=dot,DC=lan
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=dot,DC=lan
memberOf: CN=Enterprise Admins,CN=Users,DC=dot,DC=lan
memberOf: CN=Schema Admins,CN=Users,DC=dot,DC=lan
memberOf: CN=Domain Admins,CN=Users,DC=dot,DC=lan
distinguishedName: CN=Administrator,CN=Users,DC=dot,DC=lan

# refldap://dot.lan/CN=Configuration,DC=dot,DC=lan

# refldap://dot.lan/DC=DomainDnsZones,DC=dot,DC=lan

# refldap://dot.lan/DC=ForestDnsZones,DC=dot,DC=lan

However, when I do this query, I am getting strange result:

ldapsearch -h srv10.tcbv.tk -x -LLL -D Administrator at dot.lan -W -b 
"dc=dot,dc=lan" "(&(CN=*)(memberOf=CN=Domain Users,CN=Users,DC=dot,DC=lan))"
Enter LDAP Password:
# refldap://dot.lan/CN=Configuration,DC=dot,DC=lan

# refldap://dot.lan/DC=DomainDnsZones,DC=dot,DC=lan

# refldap://dot.lan/DC=ForestDnsZones,DC=dot,DC=lan

Logs does not show any changes. Please be aware the difference in queries is 
in memberOf=CN= . First group name is Domain Admins and second is Domain 
Do I miss something? Are there any security restrictions?

Thank you.

More information about the samba mailing list