[Samba] Samba LDAP: memberOf attribute not readable by non-admin users?

Rowland penny rpenny at samba.org
Tue Mar 23 15:18:30 UTC 2021

On 23/03/2021 15:03, Flavio Stanchina via samba wrote:
> On 23/03/21 10:02, Rowland penny via samba wrote:
>> On 22/03/2021 23:29, Flavio Stanchina via samba wrote:
>>> We're migrating a customer's network to Samba AD using Zentyal [...]
>>> ...but it appears that non-admin users can't access the memberOf 
>>> attribute, which I understand is not a "real" attribute but is being 
>>> synthesized on-the-fly from group memberships.
>> this works for me against a Samba DC:
>> ldapsearch -x -h dc4.samdom.example.com -D rowland at SAMDOM.EXAMPLE.COM 
>> -W -b 'cn=Users,dc=samdom,dc=example,dc=com' sAMAccountName memberOf
>> Though it doesn't work against my other DC, it needs stronger 
>> authentication.
> Which is exactly my point. Are you sure "rowland" is not a Domain 
> Admin on the first DC you tried? Or has some other privilege I'm not 
> aware of, for that matter.

Good point and yes 'rowland' is a member of Domain Admins, so I tried 
with another user that wasn't and it still works

> I thought I understood that any user should be able to read all 
> attributes.
>> Also 'memberOf' is an actual attribute, it isn't 'synthesised', it is 
>> actually a linked attribute, it is linked with 'member'.
> Good to know. Yet, it doesn't work here :)

It looks like it could be something in your domain.


More information about the samba mailing list