[Samba] Ldapsearch against Samba AD returns records outside the search base

Palle Kuling ltm at mnwa.net
Mon Feb 3 12:10:46 UTC 2020 

Hello,

I'm using Ubuntu Linux. My Samba is self-compiled (and has been for the 
past five years). No other steps than ./configure; make; sudo make 
install are used.

I can confirm that using scope "sub" (all levels beneath the base DN) 
instead of "one" (one level beneath the base DN) is working correctly. 
It creates a small nuisance for me as there are objects lower than one 
level beneath the base DN that I technically don't want returned, but 
for now I can work around this by moving them somewhere else in the 
directory, as this query at least does not return objects outside the 
search base.

Contents of smb.conf as follows;

[global]
	netbios name = DC01
	realm = INTERNAL.XXX.YY
	workgroup = XXX
	server role = active directory domain controller
	interfaces = lo bond1
	bind interfaces only = yes
	dns forwarder = 8.8.8.8
	idmap_ldb:use rfc2307 = yes
	load printers = yes
	client NTLMv2 auth = yes
	ntlm auth = yes
	logging = syslog file
	log level = 1 auth_audit:3

[netlogon]
	path = /usr/local/samba/var/locks/sysvol/internal.xxx.yy/scripts
	read only = No

[sysvol]
	path = /usr/local/samba/var/locks/sysvol
	read only = No

[printers]
	path = /var/spool/samba
	printable = yes
	printing = CUPS

Regards,
-P

On 2020-02-02 18:51, Rowland penny via samba wrote:
> On 02/02/2020 14:39, Christian Naumer via samba wrote:
>> Hello all,
>> I just tried this on our setup and it ist the same there. I get 
>> results
>> from other OUs. Using sub instead of one I get the "right" results.
>> 
>> 
> Problem is, I have tried the OP's search command against Samba 4.7.12,
> 4.10.6 and 4.11.6
> 
> Created two OU's: OU=testou1 and OU=testou2
> 
> Created a user 'OUser1' in OU=testou1
> 
> I did this on all three versions of Samba and then ran the OP's
> ldapsearch command (modified for the dns domain) and depending on
> which OU I searched in (using -s one) I either got no result or the
> expected result, I even tried a non existing user and got nothing.
> 
> Or to put it another way, I cannot get the same result as the OP.
> 
> Time for a few questions:
> 
> What OS is the user using ?
> 
> Is the OP using distro packages, packages from somewhere else, or a
> self compiled Samba ?
> 
> If self compiled, how was it compiled ?
> 
> What is in smb.conf ?
> 
> Rowland

More information about the samba mailing list