Jonathan Hunter
2023-Nov-05  22:25 UTC
[Samba] LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?
I'm quite confused by this one, as I can't see how this would happen..
but after upgrading my DCs from 4.11.10 to 4.18.5, LDAP searches don't
seem to work if they use the :1.2.840.113556.1.4.1941: modifier, aka
LDAP_MATCHING_RULE_IN_CHAIN. (Yes, it was a fairly big version jump..
Yes, I should have upgraded much earlier.. Yes, I know 4.19.x is out
now as well)
Here's a search that now returns nothing after my DC upgrades; this
exact search used to work just fine:
(&
    (objectCategory=Person)
    (sAMAccountName=*)
   
(memberOf:1.2.840.113556.1.4.1941:=CN=somegroup,OU=someou,DC=mydomain,DC=org)
)
But if I remove the matching rule specifier, it does return a number of results:
(&
    (objectCategory=Person)
    (sAMAccountName=*)
    (memberOf=CN=somegroup,OU=someou,DC=mydomain,DC=org)
)
The data in my AD hasn't changed; I am guessing that
LDAP_MATCHING_RULE_IN_CHAIN is still supported in 4.18 and most likely
something didn't quite go perfectly to plan during the upgrade of my
DCs.
Looking at a sample user object, I can see the group listed in the
user's memberOf attribute (i.e. the user is a direct member of the
group) - so I'm not sure why a search using
LDAP_MATCHING_RULE_IN_CHAIN simply returns no results now.
Are there any indexes or internal values I could check, to see if I
can debug this any further? A 'samba-tool dbcheck --cross-ncs'
didn't
reveal anything, but I'm not sure of the best way to investigate this
one further.
Thanks for any pointers,
Cheers
Jonathan
-- 
"If we knew what it was we were doing, it would not be called
research, would it?"
      - Albert Einstein
Andrew Bartlett
2023-Nov-05  23:03 UTC
[Samba] LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?
We had to do a few changes in this area (due to security issues) over that large number of releases, it is entirely possible there was a regression. If you have time and patience, could you back up your DC, restore into a subdirectory (on your DC or on a test box) with 4.11.10 from git, and then do a git bisect between that and 4.18.5. You can run the query locally with bin/ldbsearch -H /path/to/sam.ldb from the build tree. You won't need to install Samba, nor start it, ldbsearch should be enough. If a local ldbsearch passes on 4.18.5 but it fails over LDAP, that is also a useful data point. Andrew Bartlett On Sun, 2023-11-05 at 22:25 +0000, Jonathan Hunter via samba wrote:> I'm quite confused by this one, as I can't see how this would > happen.. > but after upgrading my DCs from 4.11.10 to 4.18.5, LDAP searches > don't > seem to work if they use the :1.2.840.113556.1.4.1941: modifier, aka > LDAP_MATCHING_RULE_IN_CHAIN. (Yes, it was a fairly big version jump.. > Yes, I should have upgraded much earlier.. Yes, I know 4.19.x is out > now as well) > > Here's a search that now returns nothing after my DC upgrades; this > exact search used to work just fine: > (& > (objectCategory=Person) > (sAMAccountName=*) > (memberOf:1.2.840.113556.1.4.1941:=CN=somegroup,OU=someou,DC=mydo > main,DC=org) > ) > > But if I remove the matching rule specifier, it does return a number > of results: > (& > (objectCategory=Person) > (sAMAccountName=*) > (memberOf=CN=somegroup,OU=someou,DC=mydomain,DC=org) > ) > > The data in my AD hasn't changed; I am guessing that > LDAP_MATCHING_RULE_IN_CHAIN is still supported in 4.18 and most > likely > something didn't quite go perfectly to plan during the upgrade of my > DCs. > > Looking at a sample user object, I can see the group listed in the > user's memberOf attribute (i.e. the user is a direct member of the > group) - so I'm not sure why a search using > LDAP_MATCHING_RULE_IN_CHAIN simply returns no results now. > > Are there any indexes or internal values I could check, to see if I > can debug this any further? A 'samba-tool dbcheck --cross-ncs' didn't > reveal anything, but I'm not sure of the best way to investigate this > one further. > > Thanks for any pointers, > > Cheers > > Jonathan > > -- > "If we knew what it was we were doing, it would not be called > research, would it?" > - Albert Einstein >-- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead https://catalyst.net.nz/services/samba Catalyst.Net Ltd Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company Samba Development and Support: https://catalyst.net.nz/services/samba Catalyst IT - Expert Open Source Solutions
Kees van Vloten
2023-Nov-06  09:36 UTC
[Samba] LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?
Op 05-11-2023 om 23:25 schreef Jonathan Hunter via samba:> I'm quite confused by this one, as I can't see how this would happen.. > but after upgrading my DCs from 4.11.10 to 4.18.5, LDAP searches don't > seem to work if they use the :1.2.840.113556.1.4.1941: modifier, aka > LDAP_MATCHING_RULE_IN_CHAIN. (Yes, it was a fairly big version jump.. > Yes, I should have upgraded much earlier.. Yes, I know 4.19.x is out > now as well) > > Here's a search that now returns nothing after my DC upgrades; this > exact search used to work just fine: > (& > (objectCategory=Person) > (sAMAccountName=*) > (memberOf:1.2.840.113556.1.4.1941:=CN=somegroup,OU=someou,DC=mydomain,DC=org) > ) > > But if I remove the matching rule specifier, it does return a number of results: > (& > (objectCategory=Person) > (sAMAccountName=*) > (memberOf=CN=somegroup,OU=someou,DC=mydomain,DC=org) > ) > > The data in my AD hasn't changed; I am guessing that > LDAP_MATCHING_RULE_IN_CHAIN is still supported in 4.18 and most likely > something didn't quite go perfectly to plan during the upgrade of my > DCs. > > Looking at a sample user object, I can see the group listed in the > user's memberOf attribute (i.e. the user is a direct member of the > group) - so I'm not sure why a search using > LDAP_MATCHING_RULE_IN_CHAIN simply returns no results now.I am currently running at 4.19.2 but I have run 4.18.6 and 4.18.5. I did not experience any issues with nested group lookups, which many of the filters rely on. To query a user's nested groups I use this little script (on the DCs): #!/bin/bash if [[ $# -lt 1 ]]; then ??? echo "Usage: $0 <ldap_object>" ??? echo "??? ldap_object?? name of a computer, user or group" ??? exit 1 fi OBJECT=$1 BASE_DN="DC=$(dnsdomainname | sed 's/\./,DC=/g')" # Use UID instead of sAMAccountName because it does not have the $ ending for computer accounts OBJECT_DN="$(ldbsearch -H /var/lib/samba/private/sam.ldb -b "${BASE_DN}" "(|(CN=${OBJECT})(UID=${OBJECT}))" 2> /dev/null | ??? grep 'dn:' | cut -d ' ' -f 2-)" #echo "Object DN: ${OBJECT_DN}" #echo "Nested group memberships:" ldbsearch -H /var/lib/samba/private/sam.ldb -b "${BASE_DN}" \ "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=${OBJECT_DN}))" cn 2> /dev/null | ??? grep 'cn:' | cut -d ' ' -f 2- | sort And the reverse to get all users in a nested group: #!/bin/bash if [[ $# -lt 1 ]]; then ??? echo "Usage: $0 <ldap_object>" ??? echo "??? ldap_object?? name of group" ??? exit 1 fi OBJECT=$1 BASE_DN="DC=$(dnsdomainname | sed 's/\./,DC=/g')" # Use UID instead of sAMAccountName because it does not have the $ ending for computer accounts OBJECT_DN="$(ldbsearch -H /var/lib/samba/private/sam.ldb -b "${BASE_DN}" "(|(CN=${OBJECT})(UID=${OBJECT}))" 2> /dev/null | ??? grep 'dn:' | cut -d ' ' -f 2-)" #echo "Object DN: ${OBJECT_DN}" #echo "Nested group memberships:" ldbsearch -H /var/lib/samba/private/sam.ldb -b "${BASE_DN}" \ "(&(objectCategory=person)(memberof:1.2.840.113556.1.4.1941:=${OBJECT_DN}))" 2> /dev/null | ??? grep 'cn:' | cut -d ' ' -f 2- | sort And although the script uses ldbsearch locally on the DC, many applications use similar queries over the wire. If it does not show the desired output for you, it may be worth looking at configuration differences, because I had and have no issues whatsoever with this functionality. - Kees.> > Are there any indexes or internal values I could check, to see if I > can debug this any further? A 'samba-tool dbcheck --cross-ncs' didn't > reveal anything, but I'm not sure of the best way to investigate this > one further. > > Thanks for any pointers, > > Cheers > > Jonathan >
Maybe Matching Threads
- LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?
- LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?
- LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?
- LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?
- LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?