[Samba] Ldapsearch against Samba AD returns records outside the search base
Rowland penny
rpenny at samba.org
Mon Feb 3 17:31:08 UTC 2020
On 03/02/2020 16:17, Palle Kuling via samba wrote:
> Hello,
>
> I did some detective work here, stepping through all the versions from
> the old 4.9.4 database onwards, building them from source on an
> isolated system and doing ldapsearch against them. It is the change
> from 4.10.13 to 4.11.0 (or maybe in general from pre-4.11 to 4.11?)
> that breaks it; after that the onelevel scope is not applied correctly.
>
> Ldbsearch also returns wrong results when used with your commands (it
> took me a while to figure out that I needed "tls verify peer =
> no_check" and "ldap server require strong auth = no" to be able to run
> the query):
>
> samba-4.11.0$ /usr/local/samba/bin/ldbsearch -H ldaps://dc01 -s one -b
> ou=business,dc=internal,dc=xxx,dc=yy samaccountname=testadmin -Uusername
> Password for [XXX\username]:
> # record 1
> dn: CN=Test Admin,OU=Test,DC=internal,DC=xxx,DC=yy
> <snip>
> distinguishedName: CN=Test Admin,OU=Test,DC=internal,DC=xxx,DC=yy
>
> # returned 1 records
> # 1 entries
> # 0 referrals
>
>
> samba-4.11.0$ sudo /usr/local/samba/bin/ldbsearch -H
> ldb:///usr/local/samba/private/sam.ldb -s one -b
> ou=business,dc=internal,dc=xxx,dc=yy samaccountname=testadmin -Uusername
> # record 1
> dn: CN=Test Admin,OU=Test,DC=internal,DC=xxx,DC=yy
> <snip>
> distinguishedName: CN=Test Admin,OU=Test,DC=internal,DC=xxx,DC=yy
>
> # returned 1 records
> # 1 entries
> # 0 referrals
>
>
> Also, it seems that I was wrong about ldbsearch directly against the
> backend DB working - it is simply because I forgot to use the "one"
> scope, which seems to be the culprit here:
>
> /usr/local/samba/private/sam.ldb.d# ldbsearch -H
> DC\=INTERNAL\,DC\=XXX\,DC\=YY.ldb -b
> ou=business,dc=internal,dc=xxx,dc=yy samaccountname=testadmin
> # returned 0 records
> # 0 entries
> # 0 referrals
>
> /usr/local/samba/private/sam.ldb.d# ldbsearch -H
> DC\=INTERNAL\,DC\=XXX\,DC\=YY.ldb -s one -b
> ou=business,dc=internal,dc=xxx,dc=yy samaccountname=testadmin
> # record 1
> dn: CN=Test Admin,OU=Test,DC=internal,DC=xxx,DC=yy
> <snip>
> distinguishedName: CN=Test Admin,OU=Test,DC=internal,DC=xxx,DC=yy
>
> # returned 1 records
> # 1 entries
> # 0 referrals
>
> In order to test whether it happens on a joined DC or not, I need to
> spin off some isolated test VM:s, so I'd have to come back on that in
> a few days.
>
> Regards,
> -P
This is where I differ from you, using your search command from your
original post (altered for my domain), I always get the expected result.
I have tested this on a few Samba versions, all of them from Louis's repo.
Rowland
More information about the samba
mailing list