[Samba] LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?

Kees van Vloten keesvanvloten at gmail.com
Mon Nov 6 14:32:30 UTC 2023


Op 06-11-2023 om 14:58 schreef Jonathan Hunter:
> Thank you Kees.
>
> On Mon, 6 Nov 2023 at 09:37, Kees van Vloten via samba
> <samba at lists.samba.org> wrote:
>> I am currently running at 4.19.2 but I have run 4.18.6 and 4.18.5. I did
>> not experience any issues with nested group lookups, which many of the
>> filters rely on.
> Interestingly, I've now found that (on my current DCs, running
> 4.18.5), ldbsearch *does* seem to return the expected result, but the
> same query via ldapsearch does not.
>
> dc2$ sudo ldbsearch -H /usr/local/samba/private/sam.ldb
> "(&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=CN=somegroup,OU=
> someou,DC=mydomain,DC=org))" samAccountName
> # Record 1
> [...]
> # record 39
> dn: CN=A User,OU=Users,OU=someou,DC=mydomain,DC=org
> sAMAccountName: auser
>
> # Referral
> [...]
> # returned 42 records
> # 39 entries
> # 3 referrals
>
>
> whereas no results are returned for the same query run via ldapsearch,
> even running the search as the domain administrator.
>
> dc2$ ldapsearch -H ldaps://dc2.mydomain.org -x -W -D
> Administrator at mydomain -b "dc=mydomain,dc=org"
> "(&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=CN=somegroup,OU=someou,DC=mydomain,DC=org))"
> samAccountName
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <dc=mydomain,dc=org> with scope subtree
> # filter: (&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=CN=somegroup,OU=someou,DC=mydomain,DC=org)
> # requesting: samAccountName
> #
>
> # search reference
> [...]
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 4
> # numReferences: 3

What if you try to use starttls instead of ldaps?

ldapseach -H ldap://dc2.mydomain.org-ZZ -x -W -D Administrator at mydomain 
-b "dc=mydomain,dc=org" 
"(&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=CN=somegroup,OU=someou,DC=mydomain,DC=org))"

>> And although the script uses ldbsearch locally on the DC, many
>> applications use similar queries over the wire.
>>
>> If it does not show the desired output for you, it may be worth looking
>> at configuration differences, because I had and have no issues
>> whatsoever with this functionality.
> Thanks, it's good to know that it does work for others, at least.
> There is undoubtedly something about my configuration that is
> different from others; I don't know if it's having members of groups
> from different OUs across the domain, or perhaps permissions that have
> been set over the years delegating ownership of different OUs, etc..
> but it's interesting that I am seeing different behaviour between
> ldbsearch and ldapsearch now.
>
> (Andrew - I'm wondering if I can script startup of samba in docker
> containers after restoring from a domain backup, that I could call
> from git bisect. Do you know if anyone has scripts to do that sort of
> thing already? It's not impossible for me to create, of course, but
> it's always better to use an existing working script if there is one.
> So far, my git bisect calls a script that compiles each samba version
> and runs ldbsearch, checking for number of results returned; but based
> on the above findings that's always going to succeed, so I think I
> will need to switch to ldapsearch instead)
>
> Cheers
>
> Jonathan



More information about the samba mailing list