[Samba] Samba LDAP: memberOf attribute not readable by non-admin users?

Flavio Stanchina flavio at stanchina.net
Mon Mar 22 23:29:31 UTC 2021

We're migrating a customer's network to Samba AD using Zentyal and we're 
reconfiguring several services to use AD for authentication.

We've created a dedicated, unprivileged user for each service to bind to 
AD, but we're having some problems with grouping. We'd like to use filters 
like this to limit access:
memberOf=CN=VPN Users,CN=Groups,DC=domain

...but it appears that non-admin users can't access the memberOf attribute, 
which I understand is not a "real" attribute but is being synthesized 
on-the-fly from group memberships.

A LDAP query like this won't return memberOf (without erroring out) if the 
user is not a Domain Admin:
ldapsearch -h dc1.domain -D user at domain -W \
   -b 'cn=Users,dc=domain' \
   sAMAccountName memberOf

I tried this against a Windows DC and it works as expected (Win 2016 if it 
matters, but I'm pretty sure I had it working on other versions).

Is this expected?

Is there a way to set ACLs or other permissions on the LDAP attributes? I 
tried all the searches I could think of on this subject, but couldn't find 

Should I try with a fresh and clean Samba installation instead of Zentyal? 
Would official Debian "buster" Samba packages be any good?

Sorry for many questions and fragmentary data, but this isn't something I 
do often and I wasn't expecting this particular problem. Any additional 
info you need to help me, just ask.


Those who do not understand Unix are condemned to reinvent it, poorly.
-- Henry Spencer

More information about the samba mailing list