[Samba] Samba 4.1.6 (Ubuntu 14.04) ldapsearch memberof
Rowland Penny
rowlandpenny at googlemail.com
Mon Nov 24 03:10:31 MST 2014
On 24/11/14 00:19, Andrey wrote:
> Hi everyone,
>
> I recently installed Samba 4.1.6 on Ubuntu Server 14.04.01 LTS.
> My provision was:
>
> samba-tool domain provision \--realm=DOT.LAN \--domain=DOT
> \--adminpass='Pa77w0rd' \--dns-backend=SAMBA_INTERNAL
> \--server-role=dc \--use-xattr=yes \--use-rfc2307
> \--function-level=2008_R2 \--use-ntvfs
>
> All required steps and tests according samba wiki are completed
> successfully.
>
> When I do following query I am getting right answer too:
>
> ldapsearch -h srv10.dot.lan -x -LLL -D Administrator at dot.lan -W -b
> "dc=dot,dc=lan" "(&(CN=*)(memberOf=CN=Domain
> Admins,CN=Users,DC=dot,DC=lan))"
> Enter LDAP Password:
> dn: CN=Administrator,CN=Users,DC=dot,DC=lan
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: Administrator
> description: Built-in account for administering the computer/domain
> instanceType: 4
> whenCreated: 20141118230145.0Z
> whenChanged: 20141118230145.0Z
> uSNCreated: 3545
> uSNChanged: 3545
> name: Administrator
> objectGUID:: 231tfDn2Hk2oKoILIg4Ubw==
> userAccountControl: 512
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> pwdLastSet: 130608253050000000
> primaryGroupID: 513
> objectSid:: AQUAAAAAAAUVAAAAvxqrOPvvKFwaHdNy9AEAAA==
> adminCount: 1
> accountExpires: 9223372036854775807
> logonCount: 0
> sAMAccountName: Administrator
> sAMAccountType: 805306368
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=dot,DC=lan
> isCriticalSystemObject: TRUE
> memberOf: CN=Administrators,CN=Builtin,DC=dot,DC=lan
> memberOf: CN=Group Policy Creator Owners,CN=Users,DC=dot,DC=lan
> memberOf: CN=Enterprise Admins,CN=Users,DC=dot,DC=lan
> memberOf: CN=Schema Admins,CN=Users,DC=dot,DC=lan
> memberOf: CN=Domain Admins,CN=Users,DC=dot,DC=lan
> distinguishedName: CN=Administrator,CN=Users,DC=dot,DC=lan
>
> # refldap://dot.lan/CN=Configuration,DC=dot,DC=lan
>
> # refldap://dot.lan/DC=DomainDnsZones,DC=dot,DC=lan
>
> # refldap://dot.lan/DC=ForestDnsZones,DC=dot,DC=lan
>
>
> However, when I do this query, I am getting strange result:
>
> ldapsearch -h srv10.tcbv.tk -x -LLL -D Administrator at dot.lan -W -b
> "dc=dot,dc=lan" "(&(CN=*)(memberOf=CN=Domain
> Users,CN=Users,DC=dot,DC=lan))"
> Enter LDAP Password:
> # refldap://dot.lan/CN=Configuration,DC=dot,DC=lan
>
> # refldap://dot.lan/DC=DomainDnsZones,DC=dot,DC=lan
>
> # refldap://dot.lan/DC=ForestDnsZones,DC=dot,DC=lan
>
>
> Logs does not show any changes. Please be aware the difference in
> queries is in memberOf=CN= . First group name is Domain Admins and
> second is Domain Users.
> Do I miss something? Are there any security restrictions?
>
> Thank you.
>
>
OK, your first query should have given you a hint, amongst the answers,
there is this:
memberOf: CN=Administrators,CN=Builtin,DC=dot,DC=lan
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=dot,DC=lan
memberOf: CN=Enterprise Admins,CN=Users,DC=dot,DC=lan
memberOf: CN=Schema Admins,CN=Users,DC=dot,DC=lan
memberOf: CN=Domain Admins,CN=Users,DC=dot,DC=lan
Do you see 'Domain Users' there ?? No, because membership of 'Domain
Users' is handled by the 'primaryGroupID' attribute. Now unless you
change this from '513' (Domain Users RID) to another group RID,
'memberOf: CN=Domain Users,CN=Users,DC=dot,DC=lan' will never appear in
any users record.
Rowland
More information about the samba
mailing list