samba - Mar 2014 - LDAP Queries

Guys

needing some help with LDAP queries against samba4

this command works against MS AD's LDAP

(&(objectCategory=person)(objectClass=user)(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))


but

with samba4 I get

C:\Users\Administrator>dsquery * --filter
(&(objectCategory=person)(objectClass=user)(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

I get the error message as below
(objectClass was unexpected at this time.

it seams that filtering doesn't work anybody else got any experience with
this ?

--

Damien Dye
 IT Manager
 *Sondrel Ltd*
 Sondrel House, Theale Lakes Business Park
Moulden Way, Sulhamstead, Berkshire, RG7 4GB, UK

Tel: +44(0)118 9838 550
www.sondrel.com

 [image: Sondrel] <http://www.sondrel.com/>

This e-mail and any attachments may be confidential or legally privileged.
If you are not the intended recipient, you should destroy the e-mail
message and any attachments, and inform us of the erroneous delivery by
return e-mail. You are prohibited from retaining, distributing, disclosing
or using any information contained herein. Internet communications cannot
be guaranteed to be timely, secure, error or virus-free. Sondrel Ltd and
the sender do not accept liability for any errors or omissions, nor do we
accept liability for the content of this email, or for the consequences of
any actions taken on the basis of the information provided, unless that
information is consequently confirmed in writing under the personal
signature of a duly authorised officer of Sondrel Ltd.

This email is sent on behalf of Sondrel Ltd registered in England with
number 4491953, registered office Sondrel House, Theale Lakes Business
Park, Moulden Way, Sulhamstead, Berkshire, RG7 4GB, UK.

Hello Damien,

Am 10.03.2014 13:20, schrieb Damien Dye:
> with samba4 I get
>
> C:\Users\Administrator>dsquery * --filter
>
(&(objectCategory=person)(objectClass=user)(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
>
> I get the error message as below
> (objectClass was unexpected at this time.
>
> it seams that filtering doesn't work anybody else got any experience
with
> this ?

If I use your filter on Linux with ldapsearch, it works:


# ldapsearch -D
"cn=Administrator,cn=Users,dc=samdom,dc=example,dc=com"
-W -b "dc=SAMDOM,dc=example,dc=com" -h localhost 
'(&(objectCategory=person)(objectClass=user)(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))'

Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=SAMDOM,dc=example,dc=com> with scope subtree
# filter: 
(&(objectCategory=person)(objectClass=user)(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
# requesting: ALL
#

# demo1, Users, samdom.example.com
dn: CN=demo1,CN=Users,DC=samdom,DC=example,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
sn: User1
givenName: Demo
instanceType: 4
whenCreated: 20130602192954.0Z
displayName: Demo User1
uSNCreated: 3915
objectGUID:: lcTONgoYXkOSxSX3B9gJIw=badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAmkncum+K8CSiQJHXXQQAAA=accountExpires:
9223372036854775807
logonCount: 0
sAMAccountName: demo1
sAMAccountType: 805306368
userPrincipalName: demo1 at samdom.example.com
objectCategory: 
CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=c
  om
pwdLastSet: 130146749940000000
cn: demo1
name: demo1
msSFU30Name: demo1
unixUserPassword: ABCD!efgh12345$67890
uid: demo1
homeDrive: H:
homeDirectory: \\DC1\home\demo1
profilePath: \\DC1\Profiles\demo1
memberOf: CN=testGroup,CN=Users,DC=samdom,DC=example,DC=com
msSFU30NisDomain: samdom
uidNumber: 10007
loginShell: /bin/sh
unixHomeDirectory: /home/demo1
gidNumber: 10002
msDS-SupportedEncryptionTypes: 0
mail: demo at samdom.example.com
userAccountControl: 66048
whenChanged: 20140310194512.0Z
uSNChanged: 4049
distinguishedName: CN=demo1,CN=Users,DC=samdom,DC=example,DC=com

# search reference
ref: ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com

# search reference
ref: ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com

# search reference
ref: ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 1
# numReferences: 3




What happens if you run this command on Linux on your site? Does it only 
fail from Windows?

I never run a LDAP query from Windows. What host does dsquery.exe uses 
per default?


Regards,
Marc



PS: Is easier if you add a note in future posts, what a filter like 
"userAccountControl:1.2.840.113556.1.4.803:=2" does, if someone want
to
try to reproduce it ;-)