[Samba] Samba LDAP: memberOf attribute not readable by non-admin users?
Flavio Stanchina
flavio at stanchina.net
Mon Mar 22 23:29:31 UTC 2021
We're migrating a customer's network to Samba AD using Zentyal and we're
reconfiguring several services to use AD for authentication.
We've created a dedicated, unprivileged user for each service to bind to
AD, but we're having some problems with grouping. We'd like to use filters
like this to limit access:
memberOf=CN=VPN Users,CN=Groups,DC=domain
...but it appears that non-admin users can't access the memberOf attribute,
which I understand is not a "real" attribute but is being synthesized
on-the-fly from group memberships.
A LDAP query like this won't return memberOf (without erroring out) if the
user is not a Domain Admin:
ldapsearch -h dc1.domain -D user at domain -W \
-b 'cn=Users,dc=domain' \
sAMAccountName memberOf
I tried this against a Windows DC and it works as expected (Win 2016 if it
matters, but I'm pretty sure I had it working on other versions).
Is this expected?
Is there a way to set ACLs or other permissions on the LDAP attributes? I
tried all the searches I could think of on this subject, but couldn't find
anything.
Should I try with a fresh and clean Samba installation instead of Zentyal?
Would official Debian "buster" Samba packages be any good?
Sorry for many questions and fragmentary data, but this isn't something I
do often and I wasn't expecting this particular problem. Any additional
info you need to help me, just ask.
--
Flavio
Those who do not understand Unix are condemned to reinvent it, poorly.
-- Henry Spencer
More information about the samba
mailing list