-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hey, I stumbled across strange behaviour with LDAP searches against a Samba 4 AD today, where queries for (&(objectClass=x)(|(...)(...)))" won't deliver any result, whereas queries (|(...)(...)) will function correctly. To illustrate: - --- modelnine at xdom00 ~ $ ldapsearch -H ldap://id.modelnine.org -b "dc=id,dc=modelnine,dc=org" -W -D "cn=Machine Account,cn=Users,dc=id,dc=modelnine,dc=org" "(|(distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc=org)(distinguishedName=cn=Guests,cn=Builtin,dc=id,dc=modelnine,dc=org))" ... # LDAPv3 # base <dc=id,dc=modelnine,dc=org> with scope subtree # filter: (|(distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc=org)(distinguishedName=cn=Guests,cn=Builtin,dc=id,dc=modelnine,dc=org)) # requesting: ALL # # Guests, Builtin, id.modelnine.org dn: CN=Guests,CN=Builtin,DC=id,DC=modelnine,DC=org objectClass: top objectClass: group cn: Guests ... # Users, Builtin, id.modelnine.org dn: CN=Users,CN=Builtin,DC=id,DC=modelnine,DC=org objectClass: top objectClass: group cn: Users ... # search result search: 2 result: 0 Success # numResponses: 6 # numEntries: 2 # numReferences: 3 - --- vs. - --- modelnine at xdom00 ~ $ ldapsearch -H ldap://id.modelnine.org -b "dc=id,dc=modelnine,dc=org" -W -D "cn=Machine Account,cn=Users,dc=id,dc=modelnine,dc=org" "(&(objectClass=group)(|(distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc=org)(distinguishedName=cn=Guests,cn=Builtin,dc=id,dc=modelnine,dc=org)))" ... # LDAPv3 # base <dc=id,dc=modelnine,dc=org> with scope subtree # filter: (&(objectClass=group)(|(distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc=org)(distinguishedName=cn=Guests,cn=Builtin,dc=id,dc=modelnine,dc=org))) # requesting: ALL # ... # search result search: 2 result: 0 Success # numResponses: 4 # numReferences: 3 - --- Searching with (objectClass=...) but only one (distinguishedName=...) specifier yields the correct result: - --- modelnine at xdom00 ~ $ ldapsearch -H ldap://id.modelnine.org -b "dc=id,dc=modelnine,dc=org" -W -D "cn=Machine Account,cn=Users,dc=id,dc=modelnine,dc=org" "(&(objectClass=group)(distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc=org))" ... # LDAPv3 # base <dc=id,dc=modelnine,dc=org> with scope subtree # filter: (&(objectClass=group)(distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc=org)) # requesting: ALL # # Users, Builtin, id.modelnine.org dn: CN=Users,CN=Builtin,DC=id,DC=modelnine,DC=org objectClass: top objectClass: group cn: Users ... # search result search: 2 result: 0 Success # numResponses: 5 # numEntries: 1 # numReferences: 3 - --- Is this expected behaviour (I don't think so, at least I wouldn't understand why)? Anyway, the above seems to be happening with Samba 4 starting from somewhere around 4.1.17 and tdb 1.3.6, as I can reproduce it with an installation of 4.1.19 and a current 4.2.3 (sernet packages on Debian), whereas the above queries must have functioned correctly on a vanilla Debian Jessie installation beforehand (as there is software such as Redmine plugins which rely on being able to search for (objectClass=...)(|(dn=...)(dn=...))). Thanks for any heads up, and I'll gladly make a bug report out of this! - -- Heiko Wundram. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJV3N04AAoJEJ/eyTFUqXhd7esP/jYMSZI0Th9ApdhA2tWwch5v b79QeN/HricCSLKIm1/VMr5EzQ3GJZxKqeTfBlmj1C7yrw2ovsCkHcSHypGyrmsx E2PP5vSr/lMYPpLWLso6eqJnu5b5D+A3ZW5aNYCN9h8OLTO31KqxHsJwoIIqILMX gIc3GMu7HjtzWR61mBCxQ+RyB/sLLQJELWNIICp2VLqLdc5HRJDXIvu5+3S3Wt3Y 9l1W/c/78cQ3kn7mL6sdt85HAQLuIAJmA7twM97Lc96BLVjwRRDXJMabPv1gO7lh Q0/eX2/SQVol4OU8AbtEbXgLpRxljxoqNZLZF3YgS4dg9V3W7+QL42XCJA67/R8H L0xIyzCN74dUEs+ngytDNkyc8K8bg0QKpfzK+X/WkNj624wD/Tpssm1GdkBiSZgR GgIN91AFI7y2UysEJ+R7PLs2O27+7PAFhRie3Cbx95/RYKT3PpecTl3Zh2wAuZJL iqGfsA6Dbj3TGW4+HuF61kYyeQQM9dP5M2wRK/wq39zSZRkzHDU2HSJ76/FYPgUB D9O1AZPIB9OD+qvzN7eadpp54XPEsXQxEl7j3eKYQ9vXa2+hQFXnucSad80hDoCH KNUDaV4ZI/uTZho7pCoOrlHw6SYIaD8vF7dIb/dLtIsDbieZ4wYqMrlbv/WPbjPE HyU6wA04nYzCVRjpYOt9 =vTTB -----END PGP SIGNATURE-----
I dont see the bug... and i upgrade multiple debian wheezy to jessie, and upgraded multiple samba 4.1.17 to sernet 4.2.3. but i see. -D "cn=Machine Account,cn=Users,dc=id,dc=modelnine,dc=org" shouldnt this be -D "OU=Machine Account,cn=Users,dc=id,dc=modelnine,dc=org" ? If your using windows RATS. enable the advanced view. ( view - 3e from below. ) Now go to the object, get the properties, tab FeaturesEditor look for the distinguishedName. Look if its correct, i bet not. Greetz, Louis>-----Oorspronkelijk bericht----- >Van: samba [mailto:samba-bounces at lists.samba.org] Namens Heiko Wundram >Verzonden: dinsdag 25 augustus 2015 23:25 >Aan: samba >Onderwerp: [Samba] Strange behaviour with LDAP searches > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA256 > >Hey, > >I stumbled across strange behaviour with LDAP searches against a Samba >4 AD today, where queries for (&(objectClass=x)(|(...)(...)))" won't >deliver any result, whereas queries (|(...)(...)) will function >correctly. To illustrate: > >- --- >modelnine at xdom00 ~ $ ldapsearch -H ldap://id.modelnine.org -b >"dc=id,dc=modelnine,dc=org" -W -D "cn=Machine >Account,cn=Users,dc=id,dc=modelnine,dc=org" >"(|(distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc >=org)(distinguishedName=cn=Guests,cn=Builtin,dc=id,dc=modelnine >,dc=org))" >... ># LDAPv3 ># base <dc=id,dc=modelnine,dc=org> with scope subtree ># filter: >(|(distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc>org)(distinguishedName=cn=Guests,cn=Builtin,dc=id,dc=modelnine,dc=org)) ># requesting: ALL ># > ># Guests, Builtin, id.modelnine.org >dn: CN=Guests,CN=Builtin,DC=id,DC=modelnine,DC=org >objectClass: top >objectClass: group >cn: Guests >... > ># Users, Builtin, id.modelnine.org >dn: CN=Users,CN=Builtin,DC=id,DC=modelnine,DC=org >objectClass: top >objectClass: group >cn: Users >... > ># search result >search: 2 >result: 0 Success > ># numResponses: 6 ># numEntries: 2 ># numReferences: 3 >- --- > >vs. > >- --- >modelnine at xdom00 ~ $ ldapsearch -H ldap://id.modelnine.org -b >"dc=id,dc=modelnine,dc=org" -W -D "cn=Machine >Account,cn=Users,dc=id,dc=modelnine,dc=org" >"(&(objectClass=group)(|(distinguishedName=cn=Users,cn=Builtin, >dc=id,dc=modelnine,dc=org)(distinguishedName=cn=Guests,cn=Built >in,dc=id,dc=modelnine,dc=org)))" >... ># LDAPv3 ># base <dc=id,dc=modelnine,dc=org> with scope subtree ># filter: >(&(objectClass=group)(|(distinguishedName=cn=Users,cn=Builtin,d >c=id,dc=modelnine,dc=org)(distinguishedName=cn=Guests,cn=Builti >n,dc=id,dc=modelnine,dc=org))) ># requesting: ALL ># > >... > ># search result >search: 2 >result: 0 Success > ># numResponses: 4 ># numReferences: 3 >- --- > >Searching with (objectClass=...) but only one (distinguishedName=...) >specifier yields the correct result: > >- --- >modelnine at xdom00 ~ $ ldapsearch -H ldap://id.modelnine.org -b >"dc=id,dc=modelnine,dc=org" -W -D "cn=Machine >Account,cn=Users,dc=id,dc=modelnine,dc=org" >"(&(objectClass=group)(distinguishedName=cn=Users,cn=Builtin,dc >=id,dc=modelnine,dc=org))" >... ># LDAPv3 ># base <dc=id,dc=modelnine,dc=org> with scope subtree ># filter: >(&(objectClass=group)(distinguishedName=cn=Users,cn=Builtin,dc>id,dc=modelnine,dc=org)) ># requesting: ALL ># > ># Users, Builtin, id.modelnine.org >dn: CN=Users,CN=Builtin,DC=id,DC=modelnine,DC=org >objectClass: top >objectClass: group >cn: Users >... > ># search result >search: 2 >result: 0 Success > ># numResponses: 5 ># numEntries: 1 ># numReferences: 3 >- --- > >Is this expected behaviour (I don't think so, at least I wouldn't >understand why)? Anyway, the above seems to be happening with Samba 4 >starting from somewhere around 4.1.17 and tdb 1.3.6, as I can >reproduce it with an installation of 4.1.19 and a current 4.2.3 >(sernet packages on Debian), whereas the above queries must have >functioned correctly on a vanilla Debian Jessie installation >beforehand (as there is software such as Redmine plugins which rely on >being able to search for (objectClass=...)(|(dn=...)(dn=...))). > >Thanks for any heads up, and I'll gladly make a bug report out of this! > >- -- >Heiko Wundram. >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v2 > >iQIcBAEBCAAGBQJV3N04AAoJEJ/eyTFUqXhd7esP/jYMSZI0Th9ApdhA2tWwch5v >b79QeN/HricCSLKIm1/VMr5EzQ3GJZxKqeTfBlmj1C7yrw2ovsCkHcSHypGyrmsx >E2PP5vSr/lMYPpLWLso6eqJnu5b5D+A3ZW5aNYCN9h8OLTO31KqxHsJwoIIqILMX >gIc3GMu7HjtzWR61mBCxQ+RyB/sLLQJELWNIICp2VLqLdc5HRJDXIvu5+3S3Wt3Y >9l1W/c/78cQ3kn7mL6sdt85HAQLuIAJmA7twM97Lc96BLVjwRRDXJMabPv1gO7lh >Q0/eX2/SQVol4OU8AbtEbXgLpRxljxoqNZLZF3YgS4dg9V3W7+QL42XCJA67/R8H >L0xIyzCN74dUEs+ngytDNkyc8K8bg0QKpfzK+X/WkNj624wD/Tpssm1GdkBiSZgR >GgIN91AFI7y2UysEJ+R7PLs2O27+7PAFhRie3Cbx95/RYKT3PpecTl3Zh2wAuZJL >iqGfsA6Dbj3TGW4+HuF61kYyeQQM9dP5M2wRK/wq39zSZRkzHDU2HSJ76/FYPgUB >D9O1AZPIB9OD+qvzN7eadpp54XPEsXQxEl7j3eKYQ9vXa2+hQFXnucSad80hDoCH >KNUDaV4ZI/uTZho7pCoOrlHw6SYIaD8vF7dIb/dLtIsDbieZ4wYqMrlbv/WPbjPE >HyU6wA04nYzCVRjpYOt9 >=vTTB >-----END PGP SIGNATURE----- > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >
On 26/08/15 07:59, L.P.H. van Belle wrote:> I dont see the bug... > and i upgrade multiple debian wheezy to jessie, > and upgraded multiple samba 4.1.17 to sernet 4.2.3. > > but i see. > -D "cn=Machine Account,cn=Users,dc=id,dc=modelnine,dc=org" > shouldnt this be -D "OU=Machine Account,cn=Users,dc=id,dc=modelnine,dc=org" ?Hi Louis, sorry but no, 'Machine Account' appears to be a user :-) I think the problem is this: (&(objectClass=group)(|(distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc=org)(distinguishedName=cn=Guests,cn=Builtin,dc=id,dc=modelnine,dc=org))) If you break it down, it tries to search for: *AN* (objectClass=group) *AND* (distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc=org) *OR* (distinguishedName=cn=Guests,cn=Builtin,dc=id,dc=modelnine,dc=org) I think the *OR* is the problem, the search cannot decide which to search in because they both exist, so it returns nothing. It isn't an ldapsearch problem because ldbsearch returns the same result. Rowland> > If your using windows RATS. > > enable the advanced view. ( view - 3e from below. ) > Now go to the object, get the properties, tab FeaturesEditor > look for the distinguishedName. > Look if its correct, i bet not. > > > Greetz, > > Louis > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Heiko Wundram >> Verzonden: dinsdag 25 augustus 2015 23:25 >> Aan: samba >> Onderwerp: [Samba] Strange behaviour with LDAP searches >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA256 >> >> Hey, >> >> I stumbled across strange behaviour with LDAP searches against a Samba >> 4 AD today, where queries for (&(objectClass=x)(|(...)(...)))" won't >> deliver any result, whereas queries (|(...)(...)) will function >> correctly. To illustrate: >> >> - --- >> modelnine at xdom00 ~ $ ldapsearch -H ldap://id.modelnine.org -b >> "dc=id,dc=modelnine,dc=org" -W -D "cn=Machine >> Account,cn=Users,dc=id,dc=modelnine,dc=org" >> "(|(distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc >> =org)(distinguishedName=cn=Guests,cn=Builtin,dc=id,dc=modelnine >> ,dc=org))" >> ... >> # LDAPv3 >> # base <dc=id,dc=modelnine,dc=org> with scope subtree >> # filter: >> (|(distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc>> org)(distinguishedName=cn=Guests,cn=Builtin,dc=id,dc=modelnine,dc=org)) >> # requesting: ALL >> # >> >> # Guests, Builtin, id.modelnine.org >> dn: CN=Guests,CN=Builtin,DC=id,DC=modelnine,DC=org >> objectClass: top >> objectClass: group >> cn: Guests >> ... >> >> # Users, Builtin, id.modelnine.org >> dn: CN=Users,CN=Builtin,DC=id,DC=modelnine,DC=org >> objectClass: top >> objectClass: group >> cn: Users >> ... >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 6 >> # numEntries: 2 >> # numReferences: 3 >> - --- >> >> vs. >> >> - --- >> modelnine at xdom00 ~ $ ldapsearch -H ldap://id.modelnine.org -b >> "dc=id,dc=modelnine,dc=org" -W -D "cn=Machine >> Account,cn=Users,dc=id,dc=modelnine,dc=org" >> "(&(objectClass=group)(|(distinguishedName=cn=Users,cn=Builtin, >> dc=id,dc=modelnine,dc=org)(distinguishedName=cn=Guests,cn=Built >> in,dc=id,dc=modelnine,dc=org)))" >> ... >> # LDAPv3 >> # base <dc=id,dc=modelnine,dc=org> with scope subtree >> # filter: >> (&(objectClass=group)(|(distinguishedName=cn=Users,cn=Builtin,d >> c=id,dc=modelnine,dc=org)(distinguishedName=cn=Guests,cn=Builti >> n,dc=id,dc=modelnine,dc=org))) >> # requesting: ALL >> # >> >> ... >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 4 >> # numReferences: 3 >> - --- >> >> Searching with (objectClass=...) but only one (distinguishedName=...) >> specifier yields the correct result: >> >> - --- >> modelnine at xdom00 ~ $ ldapsearch -H ldap://id.modelnine.org -b >> "dc=id,dc=modelnine,dc=org" -W -D "cn=Machine >> Account,cn=Users,dc=id,dc=modelnine,dc=org" >> "(&(objectClass=group)(distinguishedName=cn=Users,cn=Builtin,dc >> =id,dc=modelnine,dc=org))" >> ... >> # LDAPv3 >> # base <dc=id,dc=modelnine,dc=org> with scope subtree >> # filter: >> (&(objectClass=group)(distinguishedName=cn=Users,cn=Builtin,dc>> id,dc=modelnine,dc=org)) >> # requesting: ALL >> # >> >> # Users, Builtin, id.modelnine.org >> dn: CN=Users,CN=Builtin,DC=id,DC=modelnine,DC=org >> objectClass: top >> objectClass: group >> cn: Users >> ... >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 5 >> # numEntries: 1 >> # numReferences: 3 >> - --- >> >> Is this expected behaviour (I don't think so, at least I wouldn't >> understand why)? Anyway, the above seems to be happening with Samba 4 >> starting from somewhere around 4.1.17 and tdb 1.3.6, as I can >> reproduce it with an installation of 4.1.19 and a current 4.2.3 >> (sernet packages on Debian), whereas the above queries must have >> functioned correctly on a vanilla Debian Jessie installation >> beforehand (as there is software such as Redmine plugins which rely on >> being able to search for (objectClass=...)(|(dn=...)(dn=...))). >> >> Thanks for any heads up, and I'll gladly make a bug report out of this! >> >> - -- >> Heiko Wundram. >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v2 >> >> iQIcBAEBCAAGBQJV3N04AAoJEJ/eyTFUqXhd7esP/jYMSZI0Th9ApdhA2tWwch5v >> b79QeN/HricCSLKIm1/VMr5EzQ3GJZxKqeTfBlmj1C7yrw2ovsCkHcSHypGyrmsx >> E2PP5vSr/lMYPpLWLso6eqJnu5b5D+A3ZW5aNYCN9h8OLTO31KqxHsJwoIIqILMX >> gIc3GMu7HjtzWR61mBCxQ+RyB/sLLQJELWNIICp2VLqLdc5HRJDXIvu5+3S3Wt3Y >> 9l1W/c/78cQ3kn7mL6sdt85HAQLuIAJmA7twM97Lc96BLVjwRRDXJMabPv1gO7lh >> Q0/eX2/SQVol4OU8AbtEbXgLpRxljxoqNZLZF3YgS4dg9V3W7+QL42XCJA67/R8H >> L0xIyzCN74dUEs+ngytDNkyc8K8bg0QKpfzK+X/WkNj624wD/Tpssm1GdkBiSZgR >> GgIN91AFI7y2UysEJ+R7PLs2O27+7PAFhRie3Cbx95/RYKT3PpecTl3Zh2wAuZJL >> iqGfsA6Dbj3TGW4+HuF61kYyeQQM9dP5M2wRK/wq39zSZRkzHDU2HSJ76/FYPgUB >> D9O1AZPIB9OD+qvzN7eadpp54XPEsXQxEl7j3eKYQ9vXa2+hQFXnucSad80hDoCH >> KNUDaV4ZI/uTZho7pCoOrlHw6SYIaD8vF7dIb/dLtIsDbieZ4wYqMrlbv/WPbjPE >> HyU6wA04nYzCVRjpYOt9 >> =vTTB >> -----END PGP SIGNATURE----- >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >
ah, ok, yes, i didnt look to good at the filters. I was thinking the "Machine Account" was an OU but whats strange also, why is that machine account in the "user", and not in "Computers" i dont have any "computer" in the users OU. Gr. Louis>-----Oorspronkelijk bericht----- >Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny >Verzonden: woensdag 26 augustus 2015 11:02 >Aan: samba at lists.samba.org >Onderwerp: Re: [Samba] Strange behaviour with LDAP searches > >On 26/08/15 07:59, L.P.H. van Belle wrote: >> I dont see the bug... >> and i upgrade multiple debian wheezy to jessie, >> and upgraded multiple samba 4.1.17 to sernet 4.2.3. >> >> but i see. >> -D "cn=Machine Account,cn=Users,dc=id,dc=modelnine,dc=org" >> shouldnt this be -D "OU=Machine >Account,cn=Users,dc=id,dc=modelnine,dc=org" ? > >Hi Louis, sorry but no, 'Machine Account' appears to be a user :-) > >I think the problem is this: > >(&(objectClass=group)(|(distinguishedName=cn=Users,cn=Builtin,d >c=id,dc=modelnine,dc=org)(distinguishedName=cn=Guests,cn=Builti >n,dc=id,dc=modelnine,dc=org))) > >If you break it down, it tries to search for: > >*AN* > >(objectClass=group) > >*AND* > >(distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc=org) > >*OR* > >(distinguishedName=cn=Guests,cn=Builtin,dc=id,dc=modelnine,dc=org) > >I think the *OR* is the problem, the search cannot decide which to >search in because they both exist, so it returns nothing. It isn't an >ldapsearch problem because ldbsearch returns the same result. > >Rowland > >> >> If your using windows RATS. >> >> enable the advanced view. ( view - 3e from below. ) >> Now go to the object, get the properties, tab FeaturesEditor >> look for the distinguishedName. >> Look if its correct, i bet not. >> >> >> Greetz, >> >> Louis >> >> >> >>> -----Oorspronkelijk bericht----- >>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >Heiko Wundram >>> Verzonden: dinsdag 25 augustus 2015 23:25 >>> Aan: samba >>> Onderwerp: [Samba] Strange behaviour with LDAP searches >>> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA256 >>> >>> Hey, >>> >>> I stumbled across strange behaviour with LDAP searches >against a Samba >>> 4 AD today, where queries for (&(objectClass=x)(|(...)(...)))" won't >>> deliver any result, whereas queries (|(...)(...)) will function >>> correctly. To illustrate: >>> >>> - --- >>> modelnine at xdom00 ~ $ ldapsearch -H ldap://id.modelnine.org -b >>> "dc=id,dc=modelnine,dc=org" -W -D "cn=Machine >>> Account,cn=Users,dc=id,dc=modelnine,dc=org" >>> "(|(distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc >>> =org)(distinguishedName=cn=Guests,cn=Builtin,dc=id,dc=modelnine >>> ,dc=org))" >>> ... >>> # LDAPv3 >>> # base <dc=id,dc=modelnine,dc=org> with scope subtree >>> # filter: >>> (|(distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc>>> >org)(distinguishedName=cn=Guests,cn=Builtin,dc=id,dc=modelnine,dc=org)) >>> # requesting: ALL >>> # >>> >>> # Guests, Builtin, id.modelnine.org >>> dn: CN=Guests,CN=Builtin,DC=id,DC=modelnine,DC=org >>> objectClass: top >>> objectClass: group >>> cn: Guests >>> ... >>> >>> # Users, Builtin, id.modelnine.org >>> dn: CN=Users,CN=Builtin,DC=id,DC=modelnine,DC=org >>> objectClass: top >>> objectClass: group >>> cn: Users >>> ... >>> >>> # search result >>> search: 2 >>> result: 0 Success >>> >>> # numResponses: 6 >>> # numEntries: 2 >>> # numReferences: 3 >>> - --- >>> >>> vs. >>> >>> - --- >>> modelnine at xdom00 ~ $ ldapsearch -H ldap://id.modelnine.org -b >>> "dc=id,dc=modelnine,dc=org" -W -D "cn=Machine >>> Account,cn=Users,dc=id,dc=modelnine,dc=org" >>> "(&(objectClass=group)(|(distinguishedName=cn=Users,cn=Builtin, >>> dc=id,dc=modelnine,dc=org)(distinguishedName=cn=Guests,cn=Built >>> in,dc=id,dc=modelnine,dc=org)))" >>> ... >>> # LDAPv3 >>> # base <dc=id,dc=modelnine,dc=org> with scope subtree >>> # filter: >>> (&(objectClass=group)(|(distinguishedName=cn=Users,cn=Builtin,d >>> c=id,dc=modelnine,dc=org)(distinguishedName=cn=Guests,cn=Builti >>> n,dc=id,dc=modelnine,dc=org))) >>> # requesting: ALL >>> # >>> >>> ... >>> >>> # search result >>> search: 2 >>> result: 0 Success >>> >>> # numResponses: 4 >>> # numReferences: 3 >>> - --- >>> >>> Searching with (objectClass=...) but only one >(distinguishedName=...) >>> specifier yields the correct result: >>> >>> - --- >>> modelnine at xdom00 ~ $ ldapsearch -H ldap://id.modelnine.org -b >>> "dc=id,dc=modelnine,dc=org" -W -D "cn=Machine >>> Account,cn=Users,dc=id,dc=modelnine,dc=org" >>> "(&(objectClass=group)(distinguishedName=cn=Users,cn=Builtin,dc >>> =id,dc=modelnine,dc=org))" >>> ... >>> # LDAPv3 >>> # base <dc=id,dc=modelnine,dc=org> with scope subtree >>> # filter: >>> (&(objectClass=group)(distinguishedName=cn=Users,cn=Builtin,dc>>> id,dc=modelnine,dc=org)) >>> # requesting: ALL >>> # >>> >>> # Users, Builtin, id.modelnine.org >>> dn: CN=Users,CN=Builtin,DC=id,DC=modelnine,DC=org >>> objectClass: top >>> objectClass: group >>> cn: Users >>> ... >>> >>> # search result >>> search: 2 >>> result: 0 Success >>> >>> # numResponses: 5 >>> # numEntries: 1 >>> # numReferences: 3 >>> - --- >>> >>> Is this expected behaviour (I don't think so, at least I wouldn't >>> understand why)? Anyway, the above seems to be happening >with Samba 4 >>> starting from somewhere around 4.1.17 and tdb 1.3.6, as I can >>> reproduce it with an installation of 4.1.19 and a current 4.2.3 >>> (sernet packages on Debian), whereas the above queries must have >>> functioned correctly on a vanilla Debian Jessie installation >>> beforehand (as there is software such as Redmine plugins >which rely on >>> being able to search for (objectClass=...)(|(dn=...)(dn=...))). >>> >>> Thanks for any heads up, and I'll gladly make a bug report >out of this! >>> >>> - -- >>> Heiko Wundram. >>> -----BEGIN PGP SIGNATURE----- >>> Version: GnuPG v2 >>> >>> iQIcBAEBCAAGBQJV3N04AAoJEJ/eyTFUqXhd7esP/jYMSZI0Th9ApdhA2tWwch5v >>> b79QeN/HricCSLKIm1/VMr5EzQ3GJZxKqeTfBlmj1C7yrw2ovsCkHcSHypGyrmsx >>> E2PP5vSr/lMYPpLWLso6eqJnu5b5D+A3ZW5aNYCN9h8OLTO31KqxHsJwoIIqILMX >>> gIc3GMu7HjtzWR61mBCxQ+RyB/sLLQJELWNIICp2VLqLdc5HRJDXIvu5+3S3Wt3Y >>> 9l1W/c/78cQ3kn7mL6sdt85HAQLuIAJmA7twM97Lc96BLVjwRRDXJMabPv1gO7lh >>> Q0/eX2/SQVol4OU8AbtEbXgLpRxljxoqNZLZF3YgS4dg9V3W7+QL42XCJA67/R8H >>> L0xIyzCN74dUEs+ngytDNkyc8K8bg0QKpfzK+X/WkNj624wD/Tpssm1GdkBiSZgR >>> GgIN91AFI7y2UysEJ+R7PLs2O27+7PAFhRie3Cbx95/RYKT3PpecTl3Zh2wAuZJL >>> iqGfsA6Dbj3TGW4+HuF61kYyeQQM9dP5M2wRK/wq39zSZRkzHDU2HSJ76/FYPgUB >>> D9O1AZPIB9OD+qvzN7eadpp54XPEsXQxEl7j3eKYQ9vXa2+hQFXnucSad80hDoCH >>> KNUDaV4ZI/uTZho7pCoOrlHw6SYIaD8vF7dIb/dLtIsDbieZ4wYqMrlbv/WPbjPE >>> HyU6wA04nYzCVRjpYOt9 >>> =vTTB >>> -----END PGP SIGNATURE----- >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> >> > > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >