[Samba] Nested Group control doesn't work

Andrew Bartlett abartlet at samba.org
Sun Dec 13 04:06:22 UTC 2015

On Sat, 2015-12-12 at 10:25 -0600, Jonathan S. Fisher wrote:
> Hey guys,
> We can perform this LDAP query against Windows Server 2012 no
> problem, but
> against samba it's failing:
> (&(sAMAccountName={0})(memberOf:1.2.840.113556.1.4.1941:=CN=graylog_u
> sers,OU=Applications,OU=Groups,DC=ad,DC=corp,DC=xxx,DC=com))
> Is that "nested group" tree control
> (memberOf:1.2.840.113556.1.4.1941:)
> supported? If not, is there a better way to design this ldap search
> so it
> supports nested groups?

No, it is not currently supported.  It made it into Samba master, but
was reverted due to a crash bug pointed out on:

We hope to return it for 4.4.

Andrew Bartlett
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list