[Samba] Ldapsearch against Samba AD returns records outside the search base

Rowland penny rpenny at samba.org
Sat Feb 1 12:05:31 UTC 2020 

On 01/02/2020 09:54, Palle Kuling via samba wrote:
> Hello,
>
> Ldbsearch returns the correct result. However this particular query is 
> performed by an external system (that does not have access to the LDB 
> files), to check whether a certain user belongs to a specific OU or 
> not. The query is performed over LDAP against Samba, so it is not a 
> ldapsearch-only problem. I only used ldapsearch to verify the behavior.
I beg to differ, if it works using ldbsearch, but doesn't work using 
ldapsearch, then it sounds like an ldapsearch problem
>
> Regardless of if the query is wrong or not, I can't influence how this 
> external system performs the query - the only things that can be 
> changed are the search base and the attribute that contains the 
> username. The problem here is that the results are not consistent. I 
> was sure that this had worked correctly in the past, so I compiled 
> Samba 4.9.4 from source and extracted an old backup copy of the Samba 
> directory from last year: when the ldapsearch is run against Samba 
> 4.9.4 it does NOT include results from outside the search base, but 
> behaves exactly like the Windows DC:s.

It doesn't matter whether this worked in the past or not, your search 
filter is wrong, I would expect something like this:

"(&(objectCategory=person)(objectClass=user)(sAMAccountName=$USER))"

You also need to search the entire directory, you cannot have a user 
with the samaccountname 'fred' in one OU and another user with the 
samaccountname 'fred' in another OU, samaccountnames must be unique.

>
> Is it possible to configure the new (4.11.4->) Samba to behave like 
> 4.9.4 used to, because the current behavior is not consistent with the 
> Windows DC:s and breaks this OU check? It is not apparent to me why 
> the behavior has changed - surely the same criteria for uniqueness of 
> the sAMAccountName etc have existed in 4.9.4, yet it chose to not 
> return results outside the search base.
>
If it did work before and allowed you to create the same samaccountname 
in different OU's, then this was incorrect, If it has been fixed, then I 
do not see it being unfixed ;-)

Rowland

More information about the samba mailing list