[Samba] Samba LDAP: memberOf attribute not readable by non-admin users?

Flavio Stanchina flavio at stanchina.net
Tue Mar 23 15:03:46 UTC 2021

On 23/03/21 10:02, Rowland penny via samba wrote:
> On 22/03/2021 23:29, Flavio Stanchina via samba wrote:
>> We're migrating a customer's network to Samba AD using Zentyal [...]
>> ...but it appears that non-admin users can't access the memberOf 
>> attribute, which I understand is not a "real" attribute but is being 
>> synthesized on-the-fly from group memberships.
> this works for me against a Samba DC:
> ldapsearch -x -h dc4.samdom.example.com -D rowland at SAMDOM.EXAMPLE.COM -W -b 
> 'cn=Users,dc=samdom,dc=example,dc=com' sAMAccountName memberOf
> Though it doesn't work against my other DC, it needs stronger authentication.

Which is exactly my point. Are you sure "rowland" is not a Domain Admin on 
the first DC you tried? Or has some other privilege I'm not aware of, for 
that matter.

I thought I understood that any user should be able to read all attributes.

> Also 'memberOf' is an actual attribute, it isn't 'synthesised', it is 
> actually a linked attribute, it is linked with 'member'.

Good to know. Yet, it doesn't work here :)

Ciao, Flavio

Those who do not understand Unix are condemned to reinvent it, poorly.
-- Henry Spencer

More information about the samba mailing list