[Samba] Samba LDAP: memberOf attribute not readable by non-admin users?
Rowland penny
rpenny at samba.org
Tue Mar 23 15:18:30 UTC 2021
On 23/03/2021 15:03, Flavio Stanchina via samba wrote:
> On 23/03/21 10:02, Rowland penny via samba wrote:
>> On 22/03/2021 23:29, Flavio Stanchina via samba wrote:
>>> We're migrating a customer's network to Samba AD using Zentyal [...]
>>> ...but it appears that non-admin users can't access the memberOf
>>> attribute, which I understand is not a "real" attribute but is being
>>> synthesized on-the-fly from group memberships.
>>
>> this works for me against a Samba DC:
>>
>> ldapsearch -x -h dc4.samdom.example.com -D rowland at SAMDOM.EXAMPLE.COM
>> -W -b 'cn=Users,dc=samdom,dc=example,dc=com' sAMAccountName memberOf
>>
>> Though it doesn't work against my other DC, it needs stronger
>> authentication.
>
> Which is exactly my point. Are you sure "rowland" is not a Domain
> Admin on the first DC you tried? Or has some other privilege I'm not
> aware of, for that matter.
Good point and yes 'rowland' is a member of Domain Admins, so I tried
with another user that wasn't and it still works
>
> I thought I understood that any user should be able to read all
> attributes.
>
>> Also 'memberOf' is an actual attribute, it isn't 'synthesised', it is
>> actually a linked attribute, it is linked with 'member'.
>
> Good to know. Yet, it doesn't work here :)
It looks like it could be something in your domain.
Rowland
More information about the samba
mailing list