[Samba] Strange behaviour with LDAP searches

Rowland Penny rowlandpenny241155 at gmail.com
Wed Aug 26 09:01:31 UTC 2015 

On 26/08/15 07:59, L.P.H. van Belle wrote:
> I dont see the bug...
> and i upgrade multiple debian wheezy to jessie,
> and upgraded multiple samba 4.1.17 to sernet 4.2.3.
>
> but i see.
> -D "cn=Machine Account,cn=Users,dc=id,dc=modelnine,dc=org"
> shouldnt this be -D "OU=Machine Account,cn=Users,dc=id,dc=modelnine,dc=org" ?

Hi Louis, sorry but no, 'Machine Account' appears to be a user :-)

I think the problem is this:

(&(objectClass=group)(|(distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc=org)(distinguishedName=cn=Guests,cn=Builtin,dc=id,dc=modelnine,dc=org)))

If you break it down, it tries to search for:

*AN*

(objectClass=group)

*AND*

(distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc=org)

*OR*

(distinguishedName=cn=Guests,cn=Builtin,dc=id,dc=modelnine,dc=org)

I think the *OR* is the problem, the search cannot decide which to 
search in because they both exist, so it returns nothing. It isn't an 
ldapsearch problem because ldbsearch returns the same result.

Rowland

>
> If your using windows RATS.
>
> enable the advanced view.  ( view - 3e from below.  )
> Now go to the object, get the properties, tab FeaturesEditor
> look for the distinguishedName.
> Look if its correct, i bet not.
>
>
> Greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Heiko Wundram
>> Verzonden: dinsdag 25 augustus 2015 23:25
>> Aan: samba
>> Onderwerp: [Samba] Strange behaviour with LDAP searches
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Hey,
>>
>> I stumbled across strange behaviour with LDAP searches against a Samba
>> 4 AD today, where queries for (&(objectClass=x)(|(...)(...)))" won't
>> deliver any result, whereas queries (|(...)(...)) will function
>> correctly. To illustrate:
>>
>> - ---
>> modelnine at xdom00 ~ $ ldapsearch -H ldap://id.modelnine.org -b
>> "dc=id,dc=modelnine,dc=org" -W -D "cn=Machine
>> Account,cn=Users,dc=id,dc=modelnine,dc=org"
>> "(|(distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc
>> =org)(distinguishedName=cn=Guests,cn=Builtin,dc=id,dc=modelnine
>> ,dc=org))"
>> ...
>> # LDAPv3
>> # base <dc=id,dc=modelnine,dc=org> with scope subtree
>> # filter:
>> (|(distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc=
>> org)(distinguishedName=cn=Guests,cn=Builtin,dc=id,dc=modelnine,dc=org))
>> # requesting: ALL
>> #
>>
>> # Guests, Builtin, id.modelnine.org
>> dn: CN=Guests,CN=Builtin,DC=id,DC=modelnine,DC=org
>> objectClass: top
>> objectClass: group
>> cn: Guests
>> ...
>>
>> # Users, Builtin, id.modelnine.org
>> dn: CN=Users,CN=Builtin,DC=id,DC=modelnine,DC=org
>> objectClass: top
>> objectClass: group
>> cn: Users
>> ...
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 6
>> # numEntries: 2
>> # numReferences: 3
>> - ---
>>
>> vs.
>>
>> - ---
>> modelnine at xdom00 ~ $ ldapsearch -H ldap://id.modelnine.org -b
>> "dc=id,dc=modelnine,dc=org" -W -D "cn=Machine
>> Account,cn=Users,dc=id,dc=modelnine,dc=org"
>> "(&(objectClass=group)(|(distinguishedName=cn=Users,cn=Builtin,
>> dc=id,dc=modelnine,dc=org)(distinguishedName=cn=Guests,cn=Built
>> in,dc=id,dc=modelnine,dc=org)))"
>> ...
>> # LDAPv3
>> # base <dc=id,dc=modelnine,dc=org> with scope subtree
>> # filter:
>> (&(objectClass=group)(|(distinguishedName=cn=Users,cn=Builtin,d
>> c=id,dc=modelnine,dc=org)(distinguishedName=cn=Guests,cn=Builti
>> n,dc=id,dc=modelnine,dc=org)))
>> # requesting: ALL
>> #
>>
>> ...
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 4
>> # numReferences: 3
>> - ---
>>
>> Searching with (objectClass=...) but only one (distinguishedName=...)
>> specifier yields the correct result:
>>
>> - ---
>> modelnine at xdom00 ~ $ ldapsearch -H ldap://id.modelnine.org -b
>> "dc=id,dc=modelnine,dc=org" -W -D "cn=Machine
>> Account,cn=Users,dc=id,dc=modelnine,dc=org"
>> "(&(objectClass=group)(distinguishedName=cn=Users,cn=Builtin,dc
>> =id,dc=modelnine,dc=org))"
>> ...
>> # LDAPv3
>> # base <dc=id,dc=modelnine,dc=org> with scope subtree
>> # filter:
>> (&(objectClass=group)(distinguishedName=cn=Users,cn=Builtin,dc=
>> id,dc=modelnine,dc=org))
>> # requesting: ALL
>> #
>>
>> # Users, Builtin, id.modelnine.org
>> dn: CN=Users,CN=Builtin,DC=id,DC=modelnine,DC=org
>> objectClass: top
>> objectClass: group
>> cn: Users
>> ...
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 5
>> # numEntries: 1
>> # numReferences: 3
>> - ---
>>
>> Is this expected behaviour (I don't think so, at least I wouldn't
>> understand why)? Anyway, the above seems to be happening with Samba 4
>> starting from somewhere around 4.1.17 and tdb 1.3.6, as I can
>> reproduce it with an installation of 4.1.19 and a current 4.2.3
>> (sernet packages on Debian), whereas the above queries must have
>> functioned correctly on a vanilla Debian Jessie installation
>> beforehand (as there is software such as Redmine plugins which rely on
>> being able to search for (objectClass=...)(|(dn=...)(dn=...))).
>>
>> Thanks for any heads up, and I'll gladly make a bug report out of this!
>>
>> - -- 
>> Heiko Wundram.
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2
>>
>> iQIcBAEBCAAGBQJV3N04AAoJEJ/eyTFUqXhd7esP/jYMSZI0Th9ApdhA2tWwch5v
>> b79QeN/HricCSLKIm1/VMr5EzQ3GJZxKqeTfBlmj1C7yrw2ovsCkHcSHypGyrmsx
>> E2PP5vSr/lMYPpLWLso6eqJnu5b5D+A3ZW5aNYCN9h8OLTO31KqxHsJwoIIqILMX
>> gIc3GMu7HjtzWR61mBCxQ+RyB/sLLQJELWNIICp2VLqLdc5HRJDXIvu5+3S3Wt3Y
>> 9l1W/c/78cQ3kn7mL6sdt85HAQLuIAJmA7twM97Lc96BLVjwRRDXJMabPv1gO7lh
>> Q0/eX2/SQVol4OU8AbtEbXgLpRxljxoqNZLZF3YgS4dg9V3W7+QL42XCJA67/R8H
>> L0xIyzCN74dUEs+ngytDNkyc8K8bg0QKpfzK+X/WkNj624wD/Tpssm1GdkBiSZgR
>> GgIN91AFI7y2UysEJ+R7PLs2O27+7PAFhRie3Cbx95/RYKT3PpecTl3Zh2wAuZJL
>> iqGfsA6Dbj3TGW4+HuF61kYyeQQM9dP5M2wRK/wq39zSZRkzHDU2HSJ76/FYPgUB
>> D9O1AZPIB9OD+qvzN7eadpp54XPEsXQxEl7j3eKYQ9vXa2+hQFXnucSad80hDoCH
>> KNUDaV4ZI/uTZho7pCoOrlHw6SYIaD8vF7dIb/dLtIsDbieZ4wYqMrlbv/WPbjPE
>> HyU6wA04nYzCVRjpYOt9
>> =vTTB
>> -----END PGP SIGNATURE-----
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>

More information about the samba mailing list