[Samba] Samba LDAP: memberOf attribute not readable by non-admin users?
Flavio Stanchina
flavio at stanchina.net
Tue Mar 23 15:03:46 UTC 2021
On 23/03/21 10:02, Rowland penny via samba wrote:
> On 22/03/2021 23:29, Flavio Stanchina via samba wrote:
>> We're migrating a customer's network to Samba AD using Zentyal [...]
>> ...but it appears that non-admin users can't access the memberOf
>> attribute, which I understand is not a "real" attribute but is being
>> synthesized on-the-fly from group memberships.
>
> this works for me against a Samba DC:
>
> ldapsearch -x -h dc4.samdom.example.com -D rowland at SAMDOM.EXAMPLE.COM -W -b
> 'cn=Users,dc=samdom,dc=example,dc=com' sAMAccountName memberOf
>
> Though it doesn't work against my other DC, it needs stronger authentication.
Which is exactly my point. Are you sure "rowland" is not a Domain Admin on
the first DC you tried? Or has some other privilege I'm not aware of, for
that matter.
I thought I understood that any user should be able to read all attributes.
> Also 'memberOf' is an actual attribute, it isn't 'synthesised', it is
> actually a linked attribute, it is linked with 'member'.
Good to know. Yet, it doesn't work here :)
--
Ciao, Flavio
Those who do not understand Unix are condemned to reinvent it, poorly.
-- Henry Spencer
More information about the samba
mailing list