[Samba] Elements missing in LDAP for some users

Rowland Penny rpenny at samba.org
Wed Jan 19 11:56:22 UTC 2022

On Wed, 2022-01-19 at 12:32 +0100, Victor Rodriguez via samba wrote:
> Hello,
> At last I've been able to retake this issue. I have restored the 2003
> SBS server in an independent network and done some investigation:
> - adsiedit.msc shows all attributes for all users, including
> userAccountControl and pwdLastSet as expected. Also many have set
> also
> uidNumber and gidNumber, which is ok.
> - Still, ldbsearch does not show all attributes for some users when
> used
> via LDAP like this:
> ldbsearch -H ldap://dc1.domain.com -b "DC=domain,DC=com" -P -s sub
> "(sAMAccountName=USERNAME)"
> - BUT, ldbsearch does show all attributes for all users (as
> adsiedit.msc
> does) when not using LDAP but the SAM file like this:
> ldbsearch -H /var/lib/samba/private/sam.ldb -b "DC=domain,DC=com" -P
> -s
> sub "(sAMAccountName=USERNAME)"
> So the attributes are there and Samba did replicate them from the old
> Windows2003 SBS when I migrated the domain, but somehow ldapsearch is
> not able to show or find them when using LDAP.
> What could cause this behavior of ldbsearch?

It is probably permissions, it looks like the machine account doesn't
have the required permissions to see the missing attributes over the
wire, but when accessed directly, they can be seen. Note that you do
not need '-P' when accessing sam.ldb directly.


More information about the samba mailing list