thr3ads.net - samba - [Samba] Group members via LDAP [Feb 2023]

If this information is useful, please help other people find it:
Share via:

Troels Arvin

2023-Feb-08 15:35 UTC

[Samba] Group members via LDAP

Hello,

On a network, I'm using Samba as domain controller.

I've created a group "mygroup" which has three members. Those
members
have "mygroup" as primary group:

==================================================# samba-tool group listmembers
mygroup
user1
user2
user3
==================================================

However, when I query Samba via LDAP, the group members don't appear:
==================================================$ ldapsearch
samaccountname=mygroup member
SASL/GSS-SPNEGO authentication started
SASL username: troels at MYDOM.ORG
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=MYDOM,dc=ORG> (default) with scope subtree
# filter: samaccountname=mygroup
# requesting: member
#

# mygroup, Users, mydom.org
dn: CN=mygroup,CN=Users,DC=mydom,DC=org

# search reference
# ...
==================================================

I had expected the result to also have some "member:" lines such as:
==================================================dn:
CN=mygroup,CN=Users,DC=mydom,DC=org
member: CN=User1 Surname1,CN=users,DC=mydom,DC=org
member: CN=User2 Surname2,CN=users,DC=mydom,DC=org
member: CN=User3 Surname3,CN=users,DC=mydom,DC=org
==================================================
How can I run ldapsearch in a way where all members of the group are 
shown, including users who have the group as the primary group?

-- 
Regards,
Troels Arvin

Rowland Penny

2023-Feb-08 16:13 UTC

head link

[Samba] Group members via LDAP

On 08/02/2023 15:35, Troels Arvin via samba wrote:> Hello,
> 
> On a network, I'm using Samba as domain controller.
> 
> I've created a group "mygroup" which has three members. Those
members
> have "mygroup" as primary group:
> 
> ==================================================> # samba-tool group
listmembers mygroup
> user1
> user2
> user3
> ==================================================> 
> 
> However, when I query Samba via LDAP, the group members don't appear:
> ==================================================> $ ldapsearch
samaccountname=mygroup member
> SASL/GSS-SPNEGO authentication started
> SASL username: troels at MYDOM.ORG
> SASL SSF: 256
> SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base <dc=MYDOM,dc=ORG> (default) with scope subtree
> # filter: samaccountname=mygroup
> # requesting: member
> #
> 
> # mygroup, Users, mydom.org
> dn: CN=mygroup,CN=Users,DC=mydom,DC=org
> 
> # search reference
> # ...
> ==================================================> 
> 
> I had expected the result to also have some "member:" lines such
as:
> ==================================================> dn:
CN=mygroup,CN=Users,DC=mydom,DC=org
> member: CN=User1 Surname1,CN=users,DC=mydom,DC=org
> member: CN=User2 Surname2,CN=users,DC=mydom,DC=org
> member: CN=User3 Surname3,CN=users,DC=mydom,DC=org
> ==================================================> 
> How can I run ldapsearch in a way where all members of the group are 
> shown, including users who have the group as the primary group?

I don't use ldapsearch much (I use ldbsearch etc, easier to use with 
kerberos), but don't you have to use a searchbase ?

i.e, -b 'dc=mydom,dc=org'

Rowland

samba - Feb 2023 - Group members via LDAP

[Samba] Group members via LDAP

[Samba] Group members via LDAP