[Samba] Ldapsearch against Samba AD returns records outside the search base

Rowland penny rpenny at samba.org
Fri Jan 31 15:08:14 UTC 2020


On 31/01/2020 13:50, Palle Kuling via samba wrote:
> Hi,
>
> I noticed the following problem with records returned outside the 
> search base when the query is run against a Samba DC, but when the 
> same query is run against a Windows 2008 or 2012 DC it does not 
> happen. I'm pretty sure it worked correctly in the past. I updated 
> from Samba 4.9.4 to 4.11.4 in December, but I noticed it only today, 
> and I no longer have a backup of the old installation to verify. I 
> tried building versions 4.11.5 and 4.11.6 against the same database, 
> but they all behave in the same way. Am I missing some config option, 
> or is it a bug? These kinds of queries are used to check if an account 
> exists in a certain OU, so I would not want the DC:s to behave 
> differently for the same query.
>
> This is how it looks when I run a query (I redacted the domain and 
> account names a bit):
>
> ldapsearch -D username at internal.xxx.yy -w password -H ldaps://<samba 
> DC> -s one -b ou=business,dc=internal,dc=xxx,dc=yy 
> samaccountname=testadmin
> # extended LDIF
> #
> # LDAPv3
> # base <ou=business,dc=internal,dc=xxx,dc=yy> with scope oneLevel
> # filter: samaccountname=testadmin
> # requesting: ALL
> #
>
> # Test Admin, Test, internal.xxx.yy
> dn: CN=Test Admin,OU=Test,DC=internal,DC=xxx,DC=yy
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: Test Admin
> <snip>
> distinguishedName: CN=Test Admin,OU=Test,DC=internal,DC=xxx,DC=yy
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
> I would want results only from OU=Business, but the response comes 
> from OU=Test. If I run the same query against one of the Windows DC:s, 
> they return the answer I want (=no record):
>
> ldapsearch -D username at internal.xxx.yy -w password -H ldaps://<windows 
> DC> -s one -b ou=business,dc=internal,dc=xxx,dc=yy 
> samaccountname=testadmin
> # extended LDIF
> #
> # LDAPv3
> # base <ou=business,dc=internal,dc=iceye,dc=fi> with scope oneLevel
> # filter: samaccountname=testadmin
> # requesting: ALL
> #
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 1
>
> If the search base is replaced with -b 
> ou=test,dc=internal,dc=xxx,dc=yy, both Samba and Windows return the 
> same answer record. An ldapcmp between the Samba and Windows DC:s show 
> no other differences than the Windows DC:s sometimes having more 
> attributes listed (like WHENCREATED and INSTANCETYPE), but it was 
> always like this. Also samba-tool drs showrepl shows no errors, so all 
> DC:s should have the same data.
>
> Regards,
> -P
>
Problem is, if you are searching on 'sAMAccountName', then you need to 
search the entire directory, they must be unique.

Not saying that your search isn't returning the wrong result, just that 
you are doing an incorrect search. Also, does ldbsearch return a wrong 
result, if it doesn't, then it is an ldapsearch problem.

Rowland





More information about the samba mailing list