samba - Sep 2025 - sAMAccountType is any special attribute for ldbsearch?

On Thu, 18 Sep 2025 06:17:39 +0200
Franta Hanzl?k via samba <samba at lists.samba.org> wrote:
> On Thu, 18 Sep 2025 01:34:58 +0200
> Franta Hanzl?k via samba <samba at lists.samba.org> wrote:
> 
> > [...]
> > Now I've come across an interesting mystery that I can't
explain:
> > I wanted to use ldbsearch to list user accounts by specifying the
> > LDAP filter sAMAccountType == SAM_USER_OBJECT (=0x30000000 > >
805306368). And I don't understand the behavior of ldbsearch and I
> > don't know how to explain and fix it. My attempts and results:
> > 
> > 1)
> > # ldbsearch -H
> > /var/lib/samba/private/sam.ldb.d/DC\=ZAMECEK\,DC\=HOME.ldb
> > "(sAMAccountType=805306368)" dn sAMAccountType # returned 0
records
> > # 0 entries # 0 referrals
> > 
> > Why the hell doesn't it work? And - this is interesting:
> > [...]
> > -- 
> 
> Did I miss something in the LDAP/LDB filter syntax?
> This example also returns no data, even though there are a number of 
> records with distinguishedName matching pattern *,OU=T,DC=zamecek,DC=*
> 
> ldbsearch -H
> /var/lib/samba/private/sam.ldb.d/DC\=ZAMECEK\,DC\=HOME.ldb
> "(distinguishedName=*OU=T*)" dn distinguishedName # returned 0
> records # 0 entries # 0 referrals
It probably isn't working because you are searching in the wrong place.
Never search in the files in the sam.ldb.d directory and definitely
never alter any of the files in that directory.

Try your original search like this:

sudo ldbsearch -H /var/lib/samba/private/sam.ldb
"(sAMAccountType=805306368)" dn sAMAccountType

Just search and alter the sam.ldb file.

Rowland

On Thu, 18 Sep 2025 08:28:29 +0100
Rowland Penny via samba <samba at lists.samba.org> wrote:
> On Thu, 18 Sep 2025 06:17:39 +0200
> Franta Hanzl?k via samba <samba at lists.samba.org> wrote:
> 
> > On Thu, 18 Sep 2025 01:34:58 +0200
> > Franta Hanzl?k via samba <samba at lists.samba.org> wrote:
> >   
> > > [...]
> > > Now I've come across an interesting mystery that I can't
explain:
> > > I wanted to use ldbsearch to list user accounts by specifying the
> > > LDAP filter sAMAccountType == SAM_USER_OBJECT (=0x30000000 >
> > 805306368). And I don't understand the behavior of ldbsearch and I
> > > don't know how to explain and fix it. My attempts and
results:
> > > 
> > > 1)
> > > # ldbsearch -H
> > > /var/lib/samba/private/sam.ldb.d/DC\=ZAMECEK\,DC\=HOME.ldb
> > > "(sAMAccountType=805306368)" dn sAMAccountType #
returned 0 records
> > > # 0 entries # 0 referrals
> > > 
> > > Why the hell doesn't it work? And - this is interesting:
> > > [...]
> > > --   
> > 
> > Did I miss something in the LDAP/LDB filter syntax?
> > This example also returns no data, even though there are a number of 
> > records with distinguishedName matching pattern *,OU=T,DC=zamecek,DC=*
> > 
> > ldbsearch -H
> > /var/lib/samba/private/sam.ldb.d/DC\=ZAMECEK\,DC\=HOME.ldb
> > "(distinguishedName=*OU=T*)" dn distinguishedName # returned
0
> > records # 0 entries # 0 referrals  
> 
> It probably isn't working because you are searching in the wrong place.
> Never search in the files in the sam.ldb.d directory and definitely
> never alter any of the files in that directory.
> 
> Try your original search like this:
> 
> sudo ldbsearch -H /var/lib/samba/private/sam.ldb
> "(sAMAccountType=805306368)" dn sAMAccountType
> 
> Just search and alter the sam.ldb file.
> 
> Rowland
> -- 
Rowland very thanks about using samba/private/sam.ldb !
I found some info here:
  https://lists.samba.org/archive/samba/2015-February/189634.html
     (content of sam.ldb vs sam.ldb.d/DC=MYDOMAIN,DC=LAN)
which also suggests something, but it's not stated there as strictly
as you did.

But: '(sAMAccountType=805306368)' ldbsearch filter on
samba/private/sam.ldb
is now working, but filter for distinguishedName IMO not:

1) only distinguishedName attribute presence required return 266 records:
# DONT_EXPIRE_PASSWORD=$((0x10000)); ldbsearch --controls
"search_options:0:1" -H /var/lib/samba/private/sam.ldb
"(&(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=$DONT_EXPIRE_PASSWORD))(distinguishedName=*))"
dn distinguishedName|tail -n 11
# record 265
dn: CN=johanikova_n,OU=Z,DC=zamecek,DC=home
distinguishedName: CN=johanikova_n,OU=Z,DC=zamecek,DC=home

# record 266
dn: CN=pavlikova_t,OU=Z,DC=zamecek,DC=home
distinguishedName: CN=pavlikova_t,OU=Z,DC=zamecek,DC=home

# returned 266 records    <---- 266 records for "any"
distinguishedName
# 266 entries
# 0 referrals

2) filter for substring "OU=Z" in distinguishedName return nothing 
  (although from previous request these records exists) :
# DONT_EXPIRE_PASSWORD=$((0x10000)); ldbsearch --controls
"search_options:0:1" -H /var/lib/samba/private/sam.ldb
"(&(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=$DONT_EXPIRE_PASSWORD))(distinguishedName=*OU=Z*))"
dn distinguishedName|tail -n 11
# returned 0 records
# 0 entries
# 0 referrals

Can this be explained somehow?

Also - has ldbsearch any ekvivalent for ldapsearch "ldif_wrap"
(specifically "ldif_wrap=no") option?

More generally: ldbsearch (other ldb*** utilities also) has -o 
and --controls switches, but they are documented somewhere?
-- 
Thanks again, excuse for my maybe unimportant questions. Franta Hanzl?k