[Samba] Strange behaviour with LDAP searches

L.P.H. van Belle belle at bazuin.nl
Wed Aug 26 06:59:40 UTC 2015 

I dont see the bug... 
and i upgrade multiple debian wheezy to jessie, 
and upgraded multiple samba 4.1.17 to sernet 4.2.3. 

but i see. 
-D "cn=Machine Account,cn=Users,dc=id,dc=modelnine,dc=org"
shouldnt this be -D "OU=Machine Account,cn=Users,dc=id,dc=modelnine,dc=org" ? 

If your using windows RATS. 

enable the advanced view.  ( view - 3e from below.  ) 
Now go to the object, get the properties, tab FeaturesEditor  
look for the distinguishedName. 
Look if its correct, i bet not. 


Greetz, 

Louis



>-----Oorspronkelijk bericht-----
>Van: samba [mailto:samba-bounces at lists.samba.org] Namens Heiko Wundram
>Verzonden: dinsdag 25 augustus 2015 23:25
>Aan: samba
>Onderwerp: [Samba] Strange behaviour with LDAP searches
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA256
>
>Hey,
>
>I stumbled across strange behaviour with LDAP searches against a Samba
>4 AD today, where queries for (&(objectClass=x)(|(...)(...)))" won't
>deliver any result, whereas queries (|(...)(...)) will function
>correctly. To illustrate:
>
>- ---
>modelnine at xdom00 ~ $ ldapsearch -H ldap://id.modelnine.org -b
>"dc=id,dc=modelnine,dc=org" -W -D "cn=Machine
>Account,cn=Users,dc=id,dc=modelnine,dc=org"
>"(|(distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc
>=org)(distinguishedName=cn=Guests,cn=Builtin,dc=id,dc=modelnine
>,dc=org))"
>...
># LDAPv3
># base <dc=id,dc=modelnine,dc=org> with scope subtree
># filter:
>(|(distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc=
>org)(distinguishedName=cn=Guests,cn=Builtin,dc=id,dc=modelnine,dc=org))
># requesting: ALL
>#
>
># Guests, Builtin, id.modelnine.org
>dn: CN=Guests,CN=Builtin,DC=id,DC=modelnine,DC=org
>objectClass: top
>objectClass: group
>cn: Guests
>...
>
># Users, Builtin, id.modelnine.org
>dn: CN=Users,CN=Builtin,DC=id,DC=modelnine,DC=org
>objectClass: top
>objectClass: group
>cn: Users
>...
>
># search result
>search: 2
>result: 0 Success
>
># numResponses: 6
># numEntries: 2
># numReferences: 3
>- ---
>
>vs.
>
>- ---
>modelnine at xdom00 ~ $ ldapsearch -H ldap://id.modelnine.org -b
>"dc=id,dc=modelnine,dc=org" -W -D "cn=Machine
>Account,cn=Users,dc=id,dc=modelnine,dc=org"
>"(&(objectClass=group)(|(distinguishedName=cn=Users,cn=Builtin,
>dc=id,dc=modelnine,dc=org)(distinguishedName=cn=Guests,cn=Built
>in,dc=id,dc=modelnine,dc=org)))"
>...
># LDAPv3
># base <dc=id,dc=modelnine,dc=org> with scope subtree
># filter:
>(&(objectClass=group)(|(distinguishedName=cn=Users,cn=Builtin,d
>c=id,dc=modelnine,dc=org)(distinguishedName=cn=Guests,cn=Builti
>n,dc=id,dc=modelnine,dc=org)))
># requesting: ALL
>#
>
>...
>
># search result
>search: 2
>result: 0 Success
>
># numResponses: 4
># numReferences: 3
>- ---
>
>Searching with (objectClass=...) but only one (distinguishedName=...)
>specifier yields the correct result:
>
>- ---
>modelnine at xdom00 ~ $ ldapsearch -H ldap://id.modelnine.org -b
>"dc=id,dc=modelnine,dc=org" -W -D "cn=Machine
>Account,cn=Users,dc=id,dc=modelnine,dc=org"
>"(&(objectClass=group)(distinguishedName=cn=Users,cn=Builtin,dc
>=id,dc=modelnine,dc=org))"
>...
># LDAPv3
># base <dc=id,dc=modelnine,dc=org> with scope subtree
># filter:
>(&(objectClass=group)(distinguishedName=cn=Users,cn=Builtin,dc=
>id,dc=modelnine,dc=org))
># requesting: ALL
>#
>
># Users, Builtin, id.modelnine.org
>dn: CN=Users,CN=Builtin,DC=id,DC=modelnine,DC=org
>objectClass: top
>objectClass: group
>cn: Users
>...
>
># search result
>search: 2
>result: 0 Success
>
># numResponses: 5
># numEntries: 1
># numReferences: 3
>- ---
>
>Is this expected behaviour (I don't think so, at least I wouldn't
>understand why)? Anyway, the above seems to be happening with Samba 4
>starting from somewhere around 4.1.17 and tdb 1.3.6, as I can
>reproduce it with an installation of 4.1.19 and a current 4.2.3
>(sernet packages on Debian), whereas the above queries must have
>functioned correctly on a vanilla Debian Jessie installation
>beforehand (as there is software such as Redmine plugins which rely on
>being able to search for (objectClass=...)(|(dn=...)(dn=...))).
>
>Thanks for any heads up, and I'll gladly make a bug report out of this!
>
>- -- 
>Heiko Wundram.
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v2
>
>iQIcBAEBCAAGBQJV3N04AAoJEJ/eyTFUqXhd7esP/jYMSZI0Th9ApdhA2tWwch5v
>b79QeN/HricCSLKIm1/VMr5EzQ3GJZxKqeTfBlmj1C7yrw2ovsCkHcSHypGyrmsx
>E2PP5vSr/lMYPpLWLso6eqJnu5b5D+A3ZW5aNYCN9h8OLTO31KqxHsJwoIIqILMX
>gIc3GMu7HjtzWR61mBCxQ+RyB/sLLQJELWNIICp2VLqLdc5HRJDXIvu5+3S3Wt3Y
>9l1W/c/78cQ3kn7mL6sdt85HAQLuIAJmA7twM97Lc96BLVjwRRDXJMabPv1gO7lh
>Q0/eX2/SQVol4OU8AbtEbXgLpRxljxoqNZLZF3YgS4dg9V3W7+QL42XCJA67/R8H
>L0xIyzCN74dUEs+ngytDNkyc8K8bg0QKpfzK+X/WkNj624wD/Tpssm1GdkBiSZgR
>GgIN91AFI7y2UysEJ+R7PLs2O27+7PAFhRie3Cbx95/RYKT3PpecTl3Zh2wAuZJL
>iqGfsA6Dbj3TGW4+HuF61kYyeQQM9dP5M2wRK/wq39zSZRkzHDU2HSJ76/FYPgUB
>D9O1AZPIB9OD+qvzN7eadpp54XPEsXQxEl7j3eKYQ9vXa2+hQFXnucSad80hDoCH
>KNUDaV4ZI/uTZho7pCoOrlHw6SYIaD8vF7dIb/dLtIsDbieZ4wYqMrlbv/WPbjPE
>HyU6wA04nYzCVRjpYOt9
>=vTTB
>-----END PGP SIGNATURE-----
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

More information about the samba mailing list