samba - Mar 2021 - Samba LDAP: memberOf attribute not readable by non-admin users?

We're migrating a customer's network to Samba AD using Zentyal and
we're
reconfiguring several services to use AD for authentication.

We've created a dedicated, unprivileged user for each service to bind to 
AD, but we're having some problems with grouping. We'd like to use
filters
like this to limit access:
memberOf=CN=VPN Users,CN=Groups,DC=domain

...but it appears that non-admin users can't access the memberOf attribute, 
which I understand is not a "real" attribute but is being synthesized 
on-the-fly from group memberships.

A LDAP query like this won't return memberOf (without erroring out) if the 
user is not a Domain Admin:
ldapsearch -h dc1.domain -D user at domain -W \
   -b 'cn=Users,dc=domain' \
   sAMAccountName memberOf

I tried this against a Windows DC and it works as expected (Win 2016 if it 
matters, but I'm pretty sure I had it working on other versions).

Is this expected?

Is there a way to set ACLs or other permissions on the LDAP attributes? I 
tried all the searches I could think of on this subject, but couldn't find 
anything.

Should I try with a fresh and clean Samba installation instead of Zentyal? 
Would official Debian "buster" Samba packages be any good?

Sorry for many questions and fragmentary data, but this isn't something I 
do often and I wasn't expecting this particular problem. Any additional 
info you need to help me, just ask.

-- 
Flavio

Those who do not understand Unix are condemned to reinvent it, poorly.
-- Henry Spencer

On 22/03/2021 23:29, Flavio Stanchina via samba wrote:
> We're migrating a customer's network to Samba AD using Zentyal and 
> we're reconfiguring several services to use AD for authentication.
>
> We've created a dedicated, unprivileged user for each service to bind 
> to AD, but we're having some problems with grouping. We'd like to
use
> filters like this to limit access:
> memberOf=CN=VPN Users,CN=Groups,DC=domain
>
> ...but it appears that non-admin users can't access the memberOf 
> attribute, which I understand is not a "real" attribute but is
being
> synthesized on-the-fly from group memberships.
>
> A LDAP query like this won't return memberOf (without erroring out) if 
> the user is not a Domain Admin:
> ldapsearch -h dc1.domain -D user at domain -W \
> ? -b 'cn=Users,dc=domain' \
> ? sAMAccountName memberOf
>
> I tried this against a Windows DC and it works as expected (Win 2016 
> if it matters, but I'm pretty sure I had it working on other versions).
>
> Is this expected?
>
> Is there a way to set ACLs or other permissions on the LDAP 
> attributes? I tried all the searches I could think of on this subject, 
> but couldn't find anything.
>
> Should I try with a fresh and clean Samba installation instead of 
> Zentyal? Would official Debian "buster" Samba packages be any
good?
>
> Sorry for many questions and fragmentary data, but this isn't 
> something I do often and I wasn't expecting this particular problem. 
> Any additional info you need to help me, just ask.
>
this works for me against a Samba DC:

ldapsearch -x -h dc4.samdom.example.com -D rowland at SAMDOM.EXAMPLE.COM -W 
-b 'cn=Users,dc=samdom,dc=example,dc=com' sAMAccountName memberOf

Though it doesn't work against my other DC, it needs stronger 
authentication.

Also 'memberOf' is an actual attribute, it isn't
'synthesised', it is
actually a linked attribute, it is linked with 'member'.

Rowland