[Samba] Strange behaviour with LDAP searches

L.P.H. van Belle belle at bazuin.nl
Wed Aug 26 09:09:38 UTC 2015 

ah, ok, yes, i didnt look to good at the filters. 

I was thinking the "Machine Account" was an OU 
but whats strange also, why is that machine account in the "user", and not in "Computers" 
i dont have any "computer" in the users OU. 



Gr. 

Louis


>-----Oorspronkelijk bericht-----
>Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>Verzonden: woensdag 26 augustus 2015 11:02
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] Strange behaviour with LDAP searches
>
>On 26/08/15 07:59, L.P.H. van Belle wrote:
>> I dont see the bug...
>> and i upgrade multiple debian wheezy to jessie,
>> and upgraded multiple samba 4.1.17 to sernet 4.2.3.
>>
>> but i see.
>> -D "cn=Machine Account,cn=Users,dc=id,dc=modelnine,dc=org"
>> shouldnt this be -D "OU=Machine 
>Account,cn=Users,dc=id,dc=modelnine,dc=org" ?
>
>Hi Louis, sorry but no, 'Machine Account' appears to be a user :-)
>
>I think the problem is this:
>
>(&(objectClass=group)(|(distinguishedName=cn=Users,cn=Builtin,d
>c=id,dc=modelnine,dc=org)(distinguishedName=cn=Guests,cn=Builti
>n,dc=id,dc=modelnine,dc=org)))
>
>If you break it down, it tries to search for:
>
>*AN*
>
>(objectClass=group)
>
>*AND*
>
>(distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc=org)
>
>*OR*
>
>(distinguishedName=cn=Guests,cn=Builtin,dc=id,dc=modelnine,dc=org)
>
>I think the *OR* is the problem, the search cannot decide which to 
>search in because they both exist, so it returns nothing. It isn't an 
>ldapsearch problem because ldbsearch returns the same result.
>
>Rowland
>
>>
>> If your using windows RATS.
>>
>> enable the advanced view.  ( view - 3e from below.  )
>> Now go to the object, get the properties, tab FeaturesEditor
>> look for the distinguishedName.
>> Look if its correct, i bet not.
>>
>>
>> Greetz,
>>
>> Louis
>>
>>
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
>Heiko Wundram
>>> Verzonden: dinsdag 25 augustus 2015 23:25
>>> Aan: samba
>>> Onderwerp: [Samba] Strange behaviour with LDAP searches
>>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA256
>>>
>>> Hey,
>>>
>>> I stumbled across strange behaviour with LDAP searches 
>against a Samba
>>> 4 AD today, where queries for (&(objectClass=x)(|(...)(...)))" won't
>>> deliver any result, whereas queries (|(...)(...)) will function
>>> correctly. To illustrate:
>>>
>>> - ---
>>> modelnine at xdom00 ~ $ ldapsearch -H ldap://id.modelnine.org -b
>>> "dc=id,dc=modelnine,dc=org" -W -D "cn=Machine
>>> Account,cn=Users,dc=id,dc=modelnine,dc=org"
>>> "(|(distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc
>>> =org)(distinguishedName=cn=Guests,cn=Builtin,dc=id,dc=modelnine
>>> ,dc=org))"
>>> ...
>>> # LDAPv3
>>> # base <dc=id,dc=modelnine,dc=org> with scope subtree
>>> # filter:
>>> (|(distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc=
>>> 
>org)(distinguishedName=cn=Guests,cn=Builtin,dc=id,dc=modelnine,dc=org))
>>> # requesting: ALL
>>> #
>>>
>>> # Guests, Builtin, id.modelnine.org
>>> dn: CN=Guests,CN=Builtin,DC=id,DC=modelnine,DC=org
>>> objectClass: top
>>> objectClass: group
>>> cn: Guests
>>> ...
>>>
>>> # Users, Builtin, id.modelnine.org
>>> dn: CN=Users,CN=Builtin,DC=id,DC=modelnine,DC=org
>>> objectClass: top
>>> objectClass: group
>>> cn: Users
>>> ...
>>>
>>> # search result
>>> search: 2
>>> result: 0 Success
>>>
>>> # numResponses: 6
>>> # numEntries: 2
>>> # numReferences: 3
>>> - ---
>>>
>>> vs.
>>>
>>> - ---
>>> modelnine at xdom00 ~ $ ldapsearch -H ldap://id.modelnine.org -b
>>> "dc=id,dc=modelnine,dc=org" -W -D "cn=Machine
>>> Account,cn=Users,dc=id,dc=modelnine,dc=org"
>>> "(&(objectClass=group)(|(distinguishedName=cn=Users,cn=Builtin,
>>> dc=id,dc=modelnine,dc=org)(distinguishedName=cn=Guests,cn=Built
>>> in,dc=id,dc=modelnine,dc=org)))"
>>> ...
>>> # LDAPv3
>>> # base <dc=id,dc=modelnine,dc=org> with scope subtree
>>> # filter:
>>> (&(objectClass=group)(|(distinguishedName=cn=Users,cn=Builtin,d
>>> c=id,dc=modelnine,dc=org)(distinguishedName=cn=Guests,cn=Builti
>>> n,dc=id,dc=modelnine,dc=org)))
>>> # requesting: ALL
>>> #
>>>
>>> ...
>>>
>>> # search result
>>> search: 2
>>> result: 0 Success
>>>
>>> # numResponses: 4
>>> # numReferences: 3
>>> - ---
>>>
>>> Searching with (objectClass=...) but only one 
>(distinguishedName=...)
>>> specifier yields the correct result:
>>>
>>> - ---
>>> modelnine at xdom00 ~ $ ldapsearch -H ldap://id.modelnine.org -b
>>> "dc=id,dc=modelnine,dc=org" -W -D "cn=Machine
>>> Account,cn=Users,dc=id,dc=modelnine,dc=org"
>>> "(&(objectClass=group)(distinguishedName=cn=Users,cn=Builtin,dc
>>> =id,dc=modelnine,dc=org))"
>>> ...
>>> # LDAPv3
>>> # base <dc=id,dc=modelnine,dc=org> with scope subtree
>>> # filter:
>>> (&(objectClass=group)(distinguishedName=cn=Users,cn=Builtin,dc=
>>> id,dc=modelnine,dc=org))
>>> # requesting: ALL
>>> #
>>>
>>> # Users, Builtin, id.modelnine.org
>>> dn: CN=Users,CN=Builtin,DC=id,DC=modelnine,DC=org
>>> objectClass: top
>>> objectClass: group
>>> cn: Users
>>> ...
>>>
>>> # search result
>>> search: 2
>>> result: 0 Success
>>>
>>> # numResponses: 5
>>> # numEntries: 1
>>> # numReferences: 3
>>> - ---
>>>
>>> Is this expected behaviour (I don't think so, at least I wouldn't
>>> understand why)? Anyway, the above seems to be happening 
>with Samba 4
>>> starting from somewhere around 4.1.17 and tdb 1.3.6, as I can
>>> reproduce it with an installation of 4.1.19 and a current 4.2.3
>>> (sernet packages on Debian), whereas the above queries must have
>>> functioned correctly on a vanilla Debian Jessie installation
>>> beforehand (as there is software such as Redmine plugins 
>which rely on
>>> being able to search for (objectClass=...)(|(dn=...)(dn=...))).
>>>
>>> Thanks for any heads up, and I'll gladly make a bug report 
>out of this!
>>>
>>> - -- 
>>> Heiko Wundram.
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v2
>>>
>>> iQIcBAEBCAAGBQJV3N04AAoJEJ/eyTFUqXhd7esP/jYMSZI0Th9ApdhA2tWwch5v
>>> b79QeN/HricCSLKIm1/VMr5EzQ3GJZxKqeTfBlmj1C7yrw2ovsCkHcSHypGyrmsx
>>> E2PP5vSr/lMYPpLWLso6eqJnu5b5D+A3ZW5aNYCN9h8OLTO31KqxHsJwoIIqILMX
>>> gIc3GMu7HjtzWR61mBCxQ+RyB/sLLQJELWNIICp2VLqLdc5HRJDXIvu5+3S3Wt3Y
>>> 9l1W/c/78cQ3kn7mL6sdt85HAQLuIAJmA7twM97Lc96BLVjwRRDXJMabPv1gO7lh
>>> Q0/eX2/SQVol4OU8AbtEbXgLpRxljxoqNZLZF3YgS4dg9V3W7+QL42XCJA67/R8H
>>> L0xIyzCN74dUEs+ngytDNkyc8K8bg0QKpfzK+X/WkNj624wD/Tpssm1GdkBiSZgR
>>> GgIN91AFI7y2UysEJ+R7PLs2O27+7PAFhRie3Cbx95/RYKT3PpecTl3Zh2wAuZJL
>>> iqGfsA6Dbj3TGW4+HuF61kYyeQQM9dP5M2wRK/wq39zSZRkzHDU2HSJ76/FYPgUB
>>> D9O1AZPIB9OD+qvzN7eadpp54XPEsXQxEl7j3eKYQ9vXa2+hQFXnucSad80hDoCH
>>> KNUDaV4ZI/uTZho7pCoOrlHw6SYIaD8vF7dIb/dLtIsDbieZ4wYqMrlbv/WPbjPE
>>> HyU6wA04nYzCVRjpYOt9
>>> =vTTB
>>> -----END PGP SIGNATURE-----
>>>
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
>>
>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

More information about the samba mailing list