[Samba] Samba LDAP: memberOf attribute not readable by non-admin users?

[Rowland penny]

On 22/03/2021 23:29, Flavio Stanchina via samba wrote:
> We're migrating a customer's network to Samba AD using Zentyal and 
> we're reconfiguring several services to use AD for authentication.
>
> We've created a dedicated, unprivileged user for each service to bind 
> to AD, but we're having some problems with grouping. We'd like to use 
> filters like this to limit access:
> memberOf=CN=VPN Users,CN=Groups,DC=domain
>
> ...but it appears that non-admin users can't access the memberOf 
> attribute, which I understand is not a "real" attribute but is being 
> synthesized on-the-fly from group memberships.
>
> A LDAP query like this won't return memberOf (without erroring out) if 
> the user is not a Domain Admin:
> ldapsearch -h dc1.domain -D user at domain -W \
>   -b 'cn=Users,dc=domain' \
>   sAMAccountName memberOf
>
> I tried this against a Windows DC and it works as expected (Win 2016 
> if it matters, but I'm pretty sure I had it working on other versions).
>
> Is this expected?
>
> Is there a way to set ACLs or other permissions on the LDAP 
> attributes? I tried all the searches I could think of on this subject, 
> but couldn't find anything.
>
> Should I try with a fresh and clean Samba installation instead of 
> Zentyal? Would official Debian "buster" Samba packages be any good?
>
> Sorry for many questions and fragmentary data, but this isn't 
> something I do often and I wasn't expecting this particular problem. 
> Any additional info you need to help me, just ask.
>

this works for me against a Samba DC:

ldapsearch -x -h dc4.samdom.example.com -D rowland at SAMDOM.EXAMPLE.COM -W 
-b 'cn=Users,dc=samdom,dc=example,dc=com' sAMAccountName memberOf

Though it doesn't work against my other DC, it needs stronger 
authentication.

Also 'memberOf' is an actual attribute, it isn't 'synthesised', it is 
actually a linked attribute, it is linked with 'member'.

Rowland