[Samba] Ldapsearch against Samba AD returns records outside the search base
Palle Kuling
ltm at mnwa.net
Sat Feb 1 09:54:40 UTC 2020
Hello,
Ldbsearch returns the correct result. However this particular query is
performed by an external system (that does not have access to the LDB
files), to check whether a certain user belongs to a specific OU or not.
The query is performed over LDAP against Samba, so it is not a
ldapsearch-only problem. I only used ldapsearch to verify the behavior.
Regardless of if the query is wrong or not, I can't influence how this
external system performs the query - the only things that can be changed
are the search base and the attribute that contains the username. The
problem here is that the results are not consistent. I was sure that
this had worked correctly in the past, so I compiled Samba 4.9.4 from
source and extracted an old backup copy of the Samba directory from last
year: when the ldapsearch is run against Samba 4.9.4 it does NOT include
results from outside the search base, but behaves exactly like the
Windows DC:s.
Is it possible to configure the new (4.11.4->) Samba to behave like
4.9.4 used to, because the current behavior is not consistent with the
Windows DC:s and breaks this OU check? It is not apparent to me why the
behavior has changed - surely the same criteria for uniqueness of the
sAMAccountName etc have existed in 4.9.4, yet it chose to not return
results outside the search base.
Regards,
-P
On 2020-01-31 17:08, Rowland penny via samba wrote:
> On 31/01/2020 13:50, Palle Kuling via samba wrote:
>> Hi,
>>
>> I noticed the following problem with records returned outside the
>> search base when the query is run against a Samba DC, but when the
>> same query is run against a Windows 2008 or 2012 DC it does not
>> happen. I'm pretty sure it worked correctly in the past. I updated
>> from Samba 4.9.4 to 4.11.4 in December, but I noticed it only today,
>> and I no longer have a backup of the old installation to verify. I
>> tried building versions 4.11.5 and 4.11.6 against the same database,
>> but they all behave in the same way. Am I missing some config option,
>> or is it a bug? These kinds of queries are used to check if an account
>> exists in a certain OU, so I would not want the DC:s to behave
>> differently for the same query.
>>
>> This is how it looks when I run a query (I redacted the domain and
>> account names a bit):
>>
>> ldapsearch -D username at internal.xxx.yy -w password -H ldaps://<samba
>> DC> -s one -b ou=business,dc=internal,dc=xxx,dc=yy
>> samaccountname=testadmin
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <ou=business,dc=internal,dc=xxx,dc=yy> with scope oneLevel
>> # filter: samaccountname=testadmin
>> # requesting: ALL
>> #
>>
>> # Test Admin, Test, internal.xxx.yy
>> dn: CN=Test Admin,OU=Test,DC=internal,DC=xxx,DC=yy
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: user
>> cn: Test Admin
>> <snip>
>> distinguishedName: CN=Test Admin,OU=Test,DC=internal,DC=xxx,DC=yy
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 2
>> # numEntries: 1
>>
>> I would want results only from OU=Business, but the response comes
>> from OU=Test. If I run the same query against one of the Windows DC:s,
>> they return the answer I want (=no record):
>>
>> ldapsearch -D username at internal.xxx.yy -w password -H ldaps://<windows
>> DC> -s one -b ou=business,dc=internal,dc=xxx,dc=yy
>> samaccountname=testadmin
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <ou=business,dc=internal,dc=iceye,dc=fi> with scope oneLevel
>> # filter: samaccountname=testadmin
>> # requesting: ALL
>> #
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 1
>>
>> If the search base is replaced with -b
>> ou=test,dc=internal,dc=xxx,dc=yy, both Samba and Windows return the
>> same answer record. An ldapcmp between the Samba and Windows DC:s show
>> no other differences than the Windows DC:s sometimes having more
>> attributes listed (like WHENCREATED and INSTANCETYPE), but it was
>> always like this. Also samba-tool drs showrepl shows no errors, so all
>> DC:s should have the same data.
>>
>> Regards,
>> -P
>>
> Problem is, if you are searching on 'sAMAccountName', then you need to
> search the entire directory, they must be unique.
>
> Not saying that your search isn't returning the wrong result, just
> that you are doing an incorrect search. Also, does ldbsearch return a
> wrong result, if it doesn't, then it is an ldapsearch problem.
>
> Rowland
More information about the samba
mailing list