[Samba] Strange behaviour with LDAP searches
Rowland Penny
rowlandpenny241155 at gmail.com
Wed Aug 26 09:26:07 UTC 2015
On 26/08/15 10:09, L.P.H. van Belle wrote:
> ah, ok, yes, i didnt look to good at the filters.
>
> I was thinking the "Machine Account" was an OU
> but whats strange also, why is that machine account in the "user", and not in "Computers"
> i dont have any "computer" in the users OU.
>
>
>
> Gr.
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>> Verzonden: woensdag 26 augustus 2015 11:02
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Strange behaviour with LDAP searches
>>
>> On 26/08/15 07:59, L.P.H. van Belle wrote:
>>> I dont see the bug...
>>> and i upgrade multiple debian wheezy to jessie,
>>> and upgraded multiple samba 4.1.17 to sernet 4.2.3.
>>>
>>> but i see.
>>> -D "cn=Machine Account,cn=Users,dc=id,dc=modelnine,dc=org"
>>> shouldnt this be -D "OU=Machine
>> Account,cn=Users,dc=id,dc=modelnine,dc=org" ?
>>
>> Hi Louis, sorry but no, 'Machine Account' appears to be a user :-)
>>
>> I think the problem is this:
>>
>> (&(objectClass=group)(|(distinguishedName=cn=Users,cn=Builtin,d
>> c=id,dc=modelnine,dc=org)(distinguishedName=cn=Guests,cn=Builti
>> n,dc=id,dc=modelnine,dc=org)))
>>
>> If you break it down, it tries to search for:
>>
>> *AN*
>>
>> (objectClass=group)
>>
>> *AND*
>>
>> (distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc=org)
>>
>> *OR*
>>
>> (distinguishedName=cn=Guests,cn=Builtin,dc=id,dc=modelnine,dc=org)
>>
>> I think the *OR* is the problem, the search cannot decide which to
>> search in because they both exist, so it returns nothing. It isn't an
>> ldapsearch problem because ldbsearch returns the same result.
>>
>> Rowland
>>
>>> If your using windows RATS.
>>>
>>> enable the advanced view. ( view - 3e from below. )
>>> Now go to the object, get the properties, tab FeaturesEditor
>>> look for the distinguishedName.
>>> Look if its correct, i bet not.
>>>
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Heiko Wundram
>>>> Verzonden: dinsdag 25 augustus 2015 23:25
>>>> Aan: samba
>>>> Onderwerp: [Samba] Strange behaviour with LDAP searches
>>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA256
>>>>
>>>> Hey,
>>>>
>>>> I stumbled across strange behaviour with LDAP searches
>> against a Samba
>>>> 4 AD today, where queries for (&(objectClass=x)(|(...)(...)))" won't
>>>> deliver any result, whereas queries (|(...)(...)) will function
>>>> correctly. To illustrate:
>>>>
>>>> - ---
>>>> modelnine at xdom00 ~ $ ldapsearch -H ldap://id.modelnine.org -b
>>>> "dc=id,dc=modelnine,dc=org" -W -D "cn=Machine
>>>> Account,cn=Users,dc=id,dc=modelnine,dc=org"
>>>> "(|(distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc
>>>> =org)(distinguishedName=cn=Guests,cn=Builtin,dc=id,dc=modelnine
>>>> ,dc=org))"
>>>> ...
>>>> # LDAPv3
>>>> # base <dc=id,dc=modelnine,dc=org> with scope subtree
>>>> # filter:
>>>> (|(distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc=
>>>>
>> org)(distinguishedName=cn=Guests,cn=Builtin,dc=id,dc=modelnine,dc=org))
>>>> # requesting: ALL
>>>> #
>>>>
>>>> # Guests, Builtin, id.modelnine.org
>>>> dn: CN=Guests,CN=Builtin,DC=id,DC=modelnine,DC=org
>>>> objectClass: top
>>>> objectClass: group
>>>> cn: Guests
>>>> ...
>>>>
>>>> # Users, Builtin, id.modelnine.org
>>>> dn: CN=Users,CN=Builtin,DC=id,DC=modelnine,DC=org
>>>> objectClass: top
>>>> objectClass: group
>>>> cn: Users
>>>> ...
>>>>
>>>> # search result
>>>> search: 2
>>>> result: 0 Success
>>>>
>>>> # numResponses: 6
>>>> # numEntries: 2
>>>> # numReferences: 3
>>>> - ---
>>>>
>>>> vs.
>>>>
>>>> - ---
>>>> modelnine at xdom00 ~ $ ldapsearch -H ldap://id.modelnine.org -b
>>>> "dc=id,dc=modelnine,dc=org" -W -D "cn=Machine
>>>> Account,cn=Users,dc=id,dc=modelnine,dc=org"
>>>> "(&(objectClass=group)(|(distinguishedName=cn=Users,cn=Builtin,
>>>> dc=id,dc=modelnine,dc=org)(distinguishedName=cn=Guests,cn=Built
>>>> in,dc=id,dc=modelnine,dc=org)))"
>>>> ...
>>>> # LDAPv3
>>>> # base <dc=id,dc=modelnine,dc=org> with scope subtree
>>>> # filter:
>>>> (&(objectClass=group)(|(distinguishedName=cn=Users,cn=Builtin,d
>>>> c=id,dc=modelnine,dc=org)(distinguishedName=cn=Guests,cn=Builti
>>>> n,dc=id,dc=modelnine,dc=org)))
>>>> # requesting: ALL
>>>> #
>>>>
>>>> ...
>>>>
>>>> # search result
>>>> search: 2
>>>> result: 0 Success
>>>>
>>>> # numResponses: 4
>>>> # numReferences: 3
>>>> - ---
>>>>
>>>> Searching with (objectClass=...) but only one
>> (distinguishedName=...)
>>>> specifier yields the correct result:
>>>>
>>>> - ---
>>>> modelnine at xdom00 ~ $ ldapsearch -H ldap://id.modelnine.org -b
>>>> "dc=id,dc=modelnine,dc=org" -W -D "cn=Machine
>>>> Account,cn=Users,dc=id,dc=modelnine,dc=org"
>>>> "(&(objectClass=group)(distinguishedName=cn=Users,cn=Builtin,dc
>>>> =id,dc=modelnine,dc=org))"
>>>> ...
>>>> # LDAPv3
>>>> # base <dc=id,dc=modelnine,dc=org> with scope subtree
>>>> # filter:
>>>> (&(objectClass=group)(distinguishedName=cn=Users,cn=Builtin,dc=
>>>> id,dc=modelnine,dc=org))
>>>> # requesting: ALL
>>>> #
>>>>
>>>> # Users, Builtin, id.modelnine.org
>>>> dn: CN=Users,CN=Builtin,DC=id,DC=modelnine,DC=org
>>>> objectClass: top
>>>> objectClass: group
>>>> cn: Users
>>>> ...
>>>>
>>>> # search result
>>>> search: 2
>>>> result: 0 Success
>>>>
>>>> # numResponses: 5
>>>> # numEntries: 1
>>>> # numReferences: 3
>>>> - ---
>>>>
>>>> Is this expected behaviour (I don't think so, at least I wouldn't
>>>> understand why)? Anyway, the above seems to be happening
>> with Samba 4
>>>> starting from somewhere around 4.1.17 and tdb 1.3.6, as I can
>>>> reproduce it with an installation of 4.1.19 and a current 4.2.3
>>>> (sernet packages on Debian), whereas the above queries must have
>>>> functioned correctly on a vanilla Debian Jessie installation
>>>> beforehand (as there is software such as Redmine plugins
>> which rely on
>>>> being able to search for (objectClass=...)(|(dn=...)(dn=...))).
>>>>
>>>> Thanks for any heads up, and I'll gladly make a bug report
>> out of this!
>>>> - --
>>>> Heiko Wundram.
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Version: GnuPG v2
>>>>
>>>> iQIcBAEBCAAGBQJV3N04AAoJEJ/eyTFUqXhd7esP/jYMSZI0Th9ApdhA2tWwch5v
>>>> b79QeN/HricCSLKIm1/VMr5EzQ3GJZxKqeTfBlmj1C7yrw2ovsCkHcSHypGyrmsx
>>>> E2PP5vSr/lMYPpLWLso6eqJnu5b5D+A3ZW5aNYCN9h8OLTO31KqxHsJwoIIqILMX
>>>> gIc3GMu7HjtzWR61mBCxQ+RyB/sLLQJELWNIICp2VLqLdc5HRJDXIvu5+3S3Wt3Y
>>>> 9l1W/c/78cQ3kn7mL6sdt85HAQLuIAJmA7twM97Lc96BLVjwRRDXJMabPv1gO7lh
>>>> Q0/eX2/SQVol4OU8AbtEbXgLpRxljxoqNZLZF3YgS4dg9V3W7+QL42XCJA67/R8H
>>>> L0xIyzCN74dUEs+ngytDNkyc8K8bg0QKpfzK+X/WkNj624wD/Tpssm1GdkBiSZgR
>>>> GgIN91AFI7y2UysEJ+R7PLs2O27+7PAFhRie3Cbx95/RYKT3PpecTl3Zh2wAuZJL
>>>> iqGfsA6Dbj3TGW4+HuF61kYyeQQM9dP5M2wRK/wq39zSZRkzHDU2HSJ76/FYPgUB
>>>> D9O1AZPIB9OD+qvzN7eadpp54XPEsXQxEl7j3eKYQ9vXa2+hQFXnucSad80hDoCH
>>>> KNUDaV4ZI/uTZho7pCoOrlHw6SYIaD8vF7dIb/dLtIsDbieZ4wYqMrlbv/WPbjPE
>>>> HyU6wA04nYzCVRjpYOt9
>>>> =vTTB
>>>> -----END PGP SIGNATURE-----
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>
Neither do I, but I don't think "Machine Account" is a computer.
I think it is an administrative user i.e. 'Mr M Account' :-D
Rowland
More information about the samba
mailing list