[Samba] Strange behaviour with LDAP searches
rowlandpenny241155 at gmail.com
Wed Aug 26 10:24:56 UTC 2015
On 26/08/15 10:23, Heiko Wundram wrote:
> Am 26.08.2015 11:09, schrieb L.P.H. van Belle:
>> ah, ok, yes, i didnt look to good at the filters.
>> I was thinking the "Machine Account" was an OU
>> but whats strange also, why is that machine account in the "user", and
>> not in "Computers"
>> i dont have any "computer" in the users OU.
> the "machine account" is a regular user that I created for non-joined
> "machines/services" to access AD directory information. I.e., it's a
> mostly unprivileged user (in cn=Users) that simply allows bind access
> to the directory for queries from external services such as nslcd -
> and in this specific case also Redmine (for group synchronization from
> What I'm slightly worried about is that the OR-query should, from what
> I know about LDAP filters, return two results, as both groups exist,
> and just using the query
> -> 2 results
> does return both groups. What breaks the search is AND-ing this query
> with the requirement that the returned objects have one of the
> specified dns and also (objectClass=group): this search returns no
> -> 0 results
> What does return a (single) result (as it should) is asking for a
> single group with (objectClass=group) and a DN:
> -> 1 result
> I'm more than sure that the combined query "works" (returns two
> results) with a vanilla Debian Jessie Samba 4 installation
It doesn't work for me on Debian wheezy with samba from backports:
> (as I've had Redmine pull the groups for users from AD for quite some
> time) and I'm trying to recreate that now; it does not work anymore
> after upgrading the system to a Sernet Samba 4.2.3, and neither does
> it work against the Gentoo Samba 4.1.19 I have running on the system I
> posted the queries from.
> As Redmine uses a query of the form
> resolve the memberOf-elements of a user (replacing group1, etc. with
> an OR-join of the DNs), and this does not return any elements, Redmine
> currently does not assign _any_ groups to users retrieved from AD,
> which is a show-stopper.
> Does this clear up better what the problem is?
More information about the samba