[Samba] Group members via LDAP

Rowland Penny rpenny at samba.org
Wed Feb 8 18:52:54 UTC 2023 


On 08/02/2023 18:36, Troels Arvin via samba wrote:
> Hello,
> 
> Rowland Penny wrote:
>> I don't use ldapsearch much (I use ldbsearch etc, easier to use with 
>> kerberos),
> 
> Actually, I'm not going to retrieve the data from ldapsearch, but in a 
> Rust or Python program, and I'm going to be searching from a different 
> server than the Samba server. I suppose that means I cannot make use of 
> ldbsearch, right?

Depends, if you can install it, you should be able to use it (as long as 
all the required dependencies are also installed)

> 
> Anyway, when searching with ldbsearch, it also leaves out a group 
> member, if the member has the group as the primary group.

If by 'primary group' you mean the users primaryGroupID attribute has 
been changed from '513', then this is to be expected. Every user is 
usually a member of Domain Users, but that group doesn't have any 
'member' attributes. (and the users do not have a memberof attribute).

> 
> 
> 
>> but don't you have to use a searchbase ?
>>
>> i.e, -b 'dc=mydom,dc=org'
> 
> The base DN is left out of the query, because I've defined it in 
> /etc/openldap/ldap.conf
> 
> [...]
> BASE DC=mydom,DC=org
> [...]
> 

Ah, never thought of that.

Trouble is, this works for myself on a DC:

SAMDOM\rowland at rpidc1:~ $ ldapsearch samaccountname='testgroup' member
SASL/GSS-SPNEGO authentication started
SASL username: rowland at SAMDOM.EXAMPLE.COM
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=samdom,dc=example,dc=com> (default) with scope subtree
# filter: samaccountname=testgroup
# requesting: member
#

# testgroup, Users, samdom.example.com
dn: CN=testgroup,CN=Users,DC=samdom,DC=example,DC=com
member: CN=rowland,CN=Users,DC=samdom,DC=example,DC=com

# search reference
ref: ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com

# search reference
ref: ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com

# search reference
ref: ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com

# search result
search: 3
result: 0 Success

# numResponses: 5
# numEntries: 1
# numReferences: 3

So I think we need more info:

What OS ?
What Samba version ?
The output of 'samba-tool testparm'

Rowland

More information about the samba mailing list