[Samba] Strange behaviour with LDAP searches

Heiko Wundram modelnine at modelnine.org
Wed Aug 26 09:23:55 UTC 2015 

Hey,

Am 26.08.2015 11:09, schrieb L.P.H. van Belle:
> ah, ok, yes, i didnt look to good at the filters.
> 
> I was thinking the "Machine Account" was an OU
> but whats strange also, why is that machine account in the "user", and
> not in "Computers"
> i dont have any "computer" in the users OU.

the "machine account" is a regular user that I created for non-joined 
"machines/services" to access AD directory information. I.e., it's a 
mostly unprivileged user (in cn=Users) that simply allows bind access to 
the directory for queries from external services such as nslcd - and in 
this specific case also Redmine (for group synchronization from AD).

What I'm slightly worried about is that the OR-query should, from what I 
know about LDAP filters, return two results, as both groups exist, and 
just using the query

(|(distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc=org)
   (distinguishedName=cn=Guests,cn=Builtin,dc=id,dc=modelnine,dc=org))

-> 2 results

does return both groups. What breaks the search is AND-ing this query 
with the requirement that the returned objects have one of the specified 
dns and also (objectClass=group): this search returns no results:

(&(objectClass=group)
   (|(distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc=org)
     (distinguishedName=cn=Guests,cn=Builtin,dc=id,dc=modelnine,dc=org)))

-> 0 results

What does return a (single) result (as it should) is asking for a single 
group with (objectClass=group) and a DN:

(&(objectClass=group)
   (distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc=org))

-> 1 result

I'm more than sure that the combined query "works" (returns two results) 
with a vanilla Debian Jessie Samba 4 installation (as I've had Redmine 
pull the groups for users from AD for quite some time) and I'm trying to 
recreate that now; it does not work anymore after upgrading the system 
to a Sernet Samba 4.2.3, and neither does it work against the Gentoo 
Samba 4.1.19 I have running on the system I posted the queries from.

As Redmine uses a query of the form 
(&(objectClass=group)(|(distinguishedName=group1)(distinguishedName=group2)(distinguishedName=group3)(...))) 
resolve the memberOf-elements of a user (replacing group1, etc. with an 
OR-join of the DNs), and this does not return any elements, Redmine 
currently does not assign _any_ groups to users retrieved from AD, which 
is a show-stopper.

Does this clear up better what the problem is?

-- 
--- Heiko.

More information about the samba mailing list