[Samba] Ldapsearch against Samba AD returns records outside the search base

Palle Kuling ltm at mnwa.net
Sat Feb 1 09:54:40 UTC 2020 

Hello,

Ldbsearch returns the correct result. However this particular query is 
performed by an external system (that does not have access to the LDB 
files), to check whether a certain user belongs to a specific OU or not. 
The query is performed over LDAP against Samba, so it is not a 
ldapsearch-only problem. I only used ldapsearch to verify the behavior.

Regardless of if the query is wrong or not, I can't influence how this 
external system performs the query - the only things that can be changed 
are the search base and the attribute that contains the username. The 
problem here is that the results are not consistent. I was sure that 
this had worked correctly in the past, so I compiled Samba 4.9.4 from 
source and extracted an old backup copy of the Samba directory from last 
year: when the ldapsearch is run against Samba 4.9.4 it does NOT include 
results from outside the search base, but behaves exactly like the 
Windows DC:s.

Is it possible to configure the new (4.11.4->) Samba to behave like 
4.9.4 used to, because the current behavior is not consistent with the 
Windows DC:s and breaks this OU check? It is not apparent to me why the 
behavior has changed - surely the same criteria for uniqueness of the 
sAMAccountName etc have existed in 4.9.4, yet it chose to not return 
results outside the search base.

Regards,
-P

On 2020-01-31 17:08, Rowland penny via samba wrote:
> On 31/01/2020 13:50, Palle Kuling via samba wrote:
>> Hi,
>> 
>> I noticed the following problem with records returned outside the 
>> search base when the query is run against a Samba DC, but when the 
>> same query is run against a Windows 2008 or 2012 DC it does not 
>> happen. I'm pretty sure it worked correctly in the past. I updated 
>> from Samba 4.9.4 to 4.11.4 in December, but I noticed it only today, 
>> and I no longer have a backup of the old installation to verify. I 
>> tried building versions 4.11.5 and 4.11.6 against the same database, 
>> but they all behave in the same way. Am I missing some config option, 
>> or is it a bug? These kinds of queries are used to check if an account 
>> exists in a certain OU, so I would not want the DC:s to behave 
>> differently for the same query.
>> 
>> This is how it looks when I run a query (I redacted the domain and 
>> account names a bit):
>> 
>> ldapsearch -D username at internal.xxx.yy -w password -H ldaps://<samba 
>> DC> -s one -b ou=business,dc=internal,dc=xxx,dc=yy 
>> samaccountname=testadmin
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <ou=business,dc=internal,dc=xxx,dc=yy> with scope oneLevel
>> # filter: samaccountname=testadmin
>> # requesting: ALL
>> #
>> 
>> # Test Admin, Test, internal.xxx.yy
>> dn: CN=Test Admin,OU=Test,DC=internal,DC=xxx,DC=yy
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: user
>> cn: Test Admin
>> <snip>
>> distinguishedName: CN=Test Admin,OU=Test,DC=internal,DC=xxx,DC=yy
>> 
>> # search result
>> search: 2
>> result: 0 Success
>> 
>> # numResponses: 2
>> # numEntries: 1
>> 
>> I would want results only from OU=Business, but the response comes 
>> from OU=Test. If I run the same query against one of the Windows DC:s, 
>> they return the answer I want (=no record):
>> 
>> ldapsearch -D username at internal.xxx.yy -w password -H ldaps://<windows 
>> DC> -s one -b ou=business,dc=internal,dc=xxx,dc=yy 
>> samaccountname=testadmin
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <ou=business,dc=internal,dc=iceye,dc=fi> with scope oneLevel
>> # filter: samaccountname=testadmin
>> # requesting: ALL
>> #
>> 
>> # search result
>> search: 2
>> result: 0 Success
>> 
>> # numResponses: 1
>> 
>> If the search base is replaced with -b 
>> ou=test,dc=internal,dc=xxx,dc=yy, both Samba and Windows return the 
>> same answer record. An ldapcmp between the Samba and Windows DC:s show 
>> no other differences than the Windows DC:s sometimes having more 
>> attributes listed (like WHENCREATED and INSTANCETYPE), but it was 
>> always like this. Also samba-tool drs showrepl shows no errors, so all 
>> DC:s should have the same data.
>> 
>> Regards,
>> -P
>> 
> Problem is, if you are searching on 'sAMAccountName', then you need to
> search the entire directory, they must be unique.
> 
> Not saying that your search isn't returning the wrong result, just
> that you are doing an incorrect search. Also, does ldbsearch return a
> wrong result, if it doesn't, then it is an ldapsearch problem.
> 
> Rowland

More information about the samba mailing list