[Samba] Ldapsearch against Samba AD returns records outside the search base

Palle Kuling ltm at mnwa.net
Thu Feb 6 14:21:12 UTC 2020 

Hello,

I did a git bisect between 4.10.0rc1 and 4.11.0. The result is as 
follows:
b6b5b5fe355fee2a4096e9214831cb88c7a2a4c6 is the first bad commit
Date:   Wed Mar 6 15:28:45 2019 +1300

     lib ldb key value: fix index buffering

Is there anything else I should check?

Regards,
-P

On 2020-02-04 00:08, Andrew Bartlett via samba wrote:
> On Mon, 2020-02-03 at 18:17 +0200, Palle Kuling via samba wrote:
>> Hello,
>> 
>> I did some detective work here, stepping through all the versions
>> from
>> the old 4.9.4 database onwards, building them from source on an
>> isolated
>> system and doing ldapsearch against them. It is the change from
>> 4.10.13
>> to 4.11.0 (or maybe in general from pre-4.11 to 4.11?) that breaks
>> it;
>> after that the onelevel scope is not applied correctly.
> 
> Thanks.  That is where I would expect the issue to have come up.  We
> did some pretty big changes to LDB and and LDAP server during that
> period.
> 
> If you have the time, moving to git bisect as the tool and running
> between samba-4.10.0rc1 and samba-4.11.0 would be awesome.
> 
>> Ldbsearch also returns wrong results when used with your commands
> 
> Great, that rules out some odd client-specific (eg ASN.1 parsing)
> issues and makes it a little easier for me to test.
> 
>> 
>> samba-4.11.0$ sudo /usr/local/samba/bin/ldbsearch -H
>> ldb:///usr/local/samba/private/sam.ldb -s one -b
>> ou=business,dc=internal,dc=xxx,dc=yy samaccountname=testadmin
>> -Uusername
>> # record 1
>> dn: CN=Test Admin,OU=Test,DC=internal,DC=xxx,DC=yy
>> <snip>
>> distinguishedName: CN=Test Admin,OU=Test,DC=internal,DC=xxx,DC=yy
>> 
>> # returned 1 records
>> # 1 entries
>> # 0 referrals
>> 
>> 
>> Also, it seems that I was wrong about ldbsearch directly against the
>> backend DB working - it is simply because I forgot to use the "one"
>> scope, which seems to be the culprit here:
>> 
>> /usr/local/samba/private/sam.ldb.d# ldbsearch -H
>> DC\=INTERNAL\,DC\=XXX\,DC\=YY.ldb -b
>> ou=business,dc=internal,dc=xxx,dc=yy samaccountname=testadmin
>> # returned 0 records
>> # 0 entries
>> # 0 referrals
>> 
>> /usr/local/samba/private/sam.ldb.d# ldbsearch -H
>> DC\=INTERNAL\,DC\=XXX\,DC\=YY.ldb -s one -b
>> ou=business,dc=internal,dc=xxx,dc=yy samaccountname=testadmin
>> # record 1
>> dn: CN=Test Admin,OU=Test,DC=internal,DC=xxx,DC=yy
>> <snip>
>> distinguishedName: CN=Test Admin,OU=Test,DC=internal,DC=xxx,DC=yy
> 
> Very interesting.  This does help narrow things down.
> 
>> # returned 1 records
>> # 1 entries
>> # 0 referrals
>> 
>> In order to test whether it happens on a joined DC or not, I need to
>> spin off some isolated test VM:s, so I'd have to come back on that in
>> a
>> few days.
> 
> Thank you so much!
> 
> Andrew Bartlett
> 
> --
> Andrew Bartlett
> https://samba.org/~abartlet/
> Authentication Developer, Samba Team         https://samba.org
> Samba Development and Support, Catalyst IT - Expert Open Source
> Solutions
> https://catalyst.net.nz/services/samba

More information about the samba mailing list