[Samba] Ldapsearch against Samba AD returns records outside the search base
Palle Kuling
ltm at mnwa.net
Fri Jan 31 13:50:17 UTC 2020
Hi,
I noticed the following problem with records returned outside the search
base when the query is run against a Samba DC, but when the same query
is run against a Windows 2008 or 2012 DC it does not happen. I'm pretty
sure it worked correctly in the past. I updated from Samba 4.9.4 to
4.11.4 in December, but I noticed it only today, and I no longer have a
backup of the old installation to verify. I tried building versions
4.11.5 and 4.11.6 against the same database, but they all behave in the
same way. Am I missing some config option, or is it a bug? These kinds
of queries are used to check if an account exists in a certain OU, so I
would not want the DC:s to behave differently for the same query.
This is how it looks when I run a query (I redacted the domain and
account names a bit):
ldapsearch -D username at internal.xxx.yy -w password -H ldaps://<samba DC>
-s one -b ou=business,dc=internal,dc=xxx,dc=yy samaccountname=testadmin
# extended LDIF
#
# LDAPv3
# base <ou=business,dc=internal,dc=xxx,dc=yy> with scope oneLevel
# filter: samaccountname=testadmin
# requesting: ALL
#
# Test Admin, Test, internal.xxx.yy
dn: CN=Test Admin,OU=Test,DC=internal,DC=xxx,DC=yy
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Test Admin
<snip>
distinguishedName: CN=Test Admin,OU=Test,DC=internal,DC=xxx,DC=yy
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
I would want results only from OU=Business, but the response comes from
OU=Test. If I run the same query against one of the Windows DC:s, they
return the answer I want (=no record):
ldapsearch -D username at internal.xxx.yy -w password -H ldaps://<windows
DC> -s one -b ou=business,dc=internal,dc=xxx,dc=yy
samaccountname=testadmin
# extended LDIF
#
# LDAPv3
# base <ou=business,dc=internal,dc=iceye,dc=fi> with scope oneLevel
# filter: samaccountname=testadmin
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
If the search base is replaced with -b ou=test,dc=internal,dc=xxx,dc=yy,
both Samba and Windows return the same answer record. An ldapcmp between
the Samba and Windows DC:s show no other differences than the Windows
DC:s sometimes having more attributes listed (like WHENCREATED and
INSTANCETYPE), but it was always like this. Also samba-tool drs showrepl
shows no errors, so all DC:s should have the same data.
Regards,
-P
More information about the samba
mailing list