[Samba] smbldap-showuser and ldapsearch can't show groups user belongs to.

Mon Sep 9 16:19:56 UTC 2019

On 09/09/2019 16:55, Mauricio Tavares wrote:
> On Fri, Sep 6, 2019 at 4:12 PM Rowland penny via samba
> <samba at lists.samba.org> wrote:
>> On 06/09/2019 20:14, Mauricio Tavares via samba wrote:
>>> Quick-n-easy questions:
>>>
>>> Let's say user raub is added to group nosy using smbldap-groupmod
>>>
>>> smbldap-groupmod -m raub nosy
>>>
>>> Now, according to ol' ldapsearch,
>>>
>>>
>>> ldapsearch -vvv -H "ldaps://ldap.example.com" -D
>>> "uid=admin,ou=People,dc=example,dc=com" -W -b "dc=example,dc=com" -s
>>> sub "(cn-nosy)"
>>>
>>> group nosy has a dn attribute that looks like this
>>>
>>> dn: cn=nosy,ou=PosixGroups,dc=example,dc=com
>>>
>>> ldapsearch even lists the memberUid for each member in said group. So
>>> far so good. However, when I ask ldapsearch to tell me about raub,
>>>
>>> ldapsearch -vvv -H "ldaps://ldap.example.com" -D
>>> "uid=admin,ou=People,dc=example,dc=com" -W -b "dc=example,dc=com" -s
>>> sub "(uid=raub)"
>>>
>>> It will give me lots of exciting info about said user but not a single
>>> memberOf attribute. The same goes for smbldap-showuser.  Is there
>>> anything I might have misconfigured here? Incidentally, if I do "id
>>> raub", I get the list of non local groups said user belongs to,
>>> including nosy.
>>>
>> Yes, you mis-configured your domain as an old NT4-style domain, why ?
>>
>        Actually this is an openldap domain. About smbldap-tools, the
> day before I sent the original question in this thread was the first
> time I've heard of that package. Other info indicates this was setup
> long time ago and is in dire need of being upgrade.
>
Nope, if Samba is involved, it will be a PDC and a PDC is an NT4-style 
domain controller, which makes it a Samba domain that uses Openldap.

Saying 'in dire need of being upgraded', could just be the 
understatement of the year ;-)

All and any (in my opinion) NT4-style DCs should be upgraded to AD.

Rowland