ah, ok, yes, i didnt look to good at the filters. I was thinking the "Machine Account" was an OU but whats strange also, why is that machine account in the "user", and not in "Computers" i dont have any "computer" in the users OU. Gr. Louis>-----Oorspronkelijk bericht----- >Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny >Verzonden: woensdag 26 augustus 2015 11:02 >Aan: samba at lists.samba.org >Onderwerp: Re: [Samba] Strange behaviour with LDAP searches > >On 26/08/15 07:59, L.P.H. van Belle wrote: >> I dont see the bug... >> and i upgrade multiple debian wheezy to jessie, >> and upgraded multiple samba 4.1.17 to sernet 4.2.3. >> >> but i see. >> -D "cn=Machine Account,cn=Users,dc=id,dc=modelnine,dc=org" >> shouldnt this be -D "OU=Machine >Account,cn=Users,dc=id,dc=modelnine,dc=org" ? > >Hi Louis, sorry but no, 'Machine Account' appears to be a user :-) > >I think the problem is this: > >(&(objectClass=group)(|(distinguishedName=cn=Users,cn=Builtin,d >c=id,dc=modelnine,dc=org)(distinguishedName=cn=Guests,cn=Builti >n,dc=id,dc=modelnine,dc=org))) > >If you break it down, it tries to search for: > >*AN* > >(objectClass=group) > >*AND* > >(distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc=org) > >*OR* > >(distinguishedName=cn=Guests,cn=Builtin,dc=id,dc=modelnine,dc=org) > >I think the *OR* is the problem, the search cannot decide which to >search in because they both exist, so it returns nothing. It isn't an >ldapsearch problem because ldbsearch returns the same result. > >Rowland > >> >> If your using windows RATS. >> >> enable the advanced view. ( view - 3e from below. ) >> Now go to the object, get the properties, tab FeaturesEditor >> look for the distinguishedName. >> Look if its correct, i bet not. >> >> >> Greetz, >> >> Louis >> >> >> >>> -----Oorspronkelijk bericht----- >>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >Heiko Wundram >>> Verzonden: dinsdag 25 augustus 2015 23:25 >>> Aan: samba >>> Onderwerp: [Samba] Strange behaviour with LDAP searches >>> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA256 >>> >>> Hey, >>> >>> I stumbled across strange behaviour with LDAP searches >against a Samba >>> 4 AD today, where queries for (&(objectClass=x)(|(...)(...)))" won't >>> deliver any result, whereas queries (|(...)(...)) will function >>> correctly. To illustrate: >>> >>> - --- >>> modelnine at xdom00 ~ $ ldapsearch -H ldap://id.modelnine.org -b >>> "dc=id,dc=modelnine,dc=org" -W -D "cn=Machine >>> Account,cn=Users,dc=id,dc=modelnine,dc=org" >>> "(|(distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc >>> =org)(distinguishedName=cn=Guests,cn=Builtin,dc=id,dc=modelnine >>> ,dc=org))" >>> ... >>> # LDAPv3 >>> # base <dc=id,dc=modelnine,dc=org> with scope subtree >>> # filter: >>> (|(distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc>>> >org)(distinguishedName=cn=Guests,cn=Builtin,dc=id,dc=modelnine,dc=org)) >>> # requesting: ALL >>> # >>> >>> # Guests, Builtin, id.modelnine.org >>> dn: CN=Guests,CN=Builtin,DC=id,DC=modelnine,DC=org >>> objectClass: top >>> objectClass: group >>> cn: Guests >>> ... >>> >>> # Users, Builtin, id.modelnine.org >>> dn: CN=Users,CN=Builtin,DC=id,DC=modelnine,DC=org >>> objectClass: top >>> objectClass: group >>> cn: Users >>> ... >>> >>> # search result >>> search: 2 >>> result: 0 Success >>> >>> # numResponses: 6 >>> # numEntries: 2 >>> # numReferences: 3 >>> - --- >>> >>> vs. >>> >>> - --- >>> modelnine at xdom00 ~ $ ldapsearch -H ldap://id.modelnine.org -b >>> "dc=id,dc=modelnine,dc=org" -W -D "cn=Machine >>> Account,cn=Users,dc=id,dc=modelnine,dc=org" >>> "(&(objectClass=group)(|(distinguishedName=cn=Users,cn=Builtin, >>> dc=id,dc=modelnine,dc=org)(distinguishedName=cn=Guests,cn=Built >>> in,dc=id,dc=modelnine,dc=org)))" >>> ... >>> # LDAPv3 >>> # base <dc=id,dc=modelnine,dc=org> with scope subtree >>> # filter: >>> (&(objectClass=group)(|(distinguishedName=cn=Users,cn=Builtin,d >>> c=id,dc=modelnine,dc=org)(distinguishedName=cn=Guests,cn=Builti >>> n,dc=id,dc=modelnine,dc=org))) >>> # requesting: ALL >>> # >>> >>> ... >>> >>> # search result >>> search: 2 >>> result: 0 Success >>> >>> # numResponses: 4 >>> # numReferences: 3 >>> - --- >>> >>> Searching with (objectClass=...) but only one >(distinguishedName=...) >>> specifier yields the correct result: >>> >>> - --- >>> modelnine at xdom00 ~ $ ldapsearch -H ldap://id.modelnine.org -b >>> "dc=id,dc=modelnine,dc=org" -W -D "cn=Machine >>> Account,cn=Users,dc=id,dc=modelnine,dc=org" >>> "(&(objectClass=group)(distinguishedName=cn=Users,cn=Builtin,dc >>> =id,dc=modelnine,dc=org))" >>> ... >>> # LDAPv3 >>> # base <dc=id,dc=modelnine,dc=org> with scope subtree >>> # filter: >>> (&(objectClass=group)(distinguishedName=cn=Users,cn=Builtin,dc>>> id,dc=modelnine,dc=org)) >>> # requesting: ALL >>> # >>> >>> # Users, Builtin, id.modelnine.org >>> dn: CN=Users,CN=Builtin,DC=id,DC=modelnine,DC=org >>> objectClass: top >>> objectClass: group >>> cn: Users >>> ... >>> >>> # search result >>> search: 2 >>> result: 0 Success >>> >>> # numResponses: 5 >>> # numEntries: 1 >>> # numReferences: 3 >>> - --- >>> >>> Is this expected behaviour (I don't think so, at least I wouldn't >>> understand why)? Anyway, the above seems to be happening >with Samba 4 >>> starting from somewhere around 4.1.17 and tdb 1.3.6, as I can >>> reproduce it with an installation of 4.1.19 and a current 4.2.3 >>> (sernet packages on Debian), whereas the above queries must have >>> functioned correctly on a vanilla Debian Jessie installation >>> beforehand (as there is software such as Redmine plugins >which rely on >>> being able to search for (objectClass=...)(|(dn=...)(dn=...))). >>> >>> Thanks for any heads up, and I'll gladly make a bug report >out of this! >>> >>> - -- >>> Heiko Wundram. >>> -----BEGIN PGP SIGNATURE----- >>> Version: GnuPG v2 >>> >>> iQIcBAEBCAAGBQJV3N04AAoJEJ/eyTFUqXhd7esP/jYMSZI0Th9ApdhA2tWwch5v >>> b79QeN/HricCSLKIm1/VMr5EzQ3GJZxKqeTfBlmj1C7yrw2ovsCkHcSHypGyrmsx >>> E2PP5vSr/lMYPpLWLso6eqJnu5b5D+A3ZW5aNYCN9h8OLTO31KqxHsJwoIIqILMX >>> gIc3GMu7HjtzWR61mBCxQ+RyB/sLLQJELWNIICp2VLqLdc5HRJDXIvu5+3S3Wt3Y >>> 9l1W/c/78cQ3kn7mL6sdt85HAQLuIAJmA7twM97Lc96BLVjwRRDXJMabPv1gO7lh >>> Q0/eX2/SQVol4OU8AbtEbXgLpRxljxoqNZLZF3YgS4dg9V3W7+QL42XCJA67/R8H >>> L0xIyzCN74dUEs+ngytDNkyc8K8bg0QKpfzK+X/WkNj624wD/Tpssm1GdkBiSZgR >>> GgIN91AFI7y2UysEJ+R7PLs2O27+7PAFhRie3Cbx95/RYKT3PpecTl3Zh2wAuZJL >>> iqGfsA6Dbj3TGW4+HuF61kYyeQQM9dP5M2wRK/wq39zSZRkzHDU2HSJ76/FYPgUB >>> D9O1AZPIB9OD+qvzN7eadpp54XPEsXQxEl7j3eKYQ9vXa2+hQFXnucSad80hDoCH >>> KNUDaV4ZI/uTZho7pCoOrlHw6SYIaD8vF7dIb/dLtIsDbieZ4wYqMrlbv/WPbjPE >>> HyU6wA04nYzCVRjpYOt9 >>> =vTTB >>> -----END PGP SIGNATURE----- >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> >> > > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >
Hey, Am 26.08.2015 11:09, schrieb L.P.H. van Belle:> ah, ok, yes, i didnt look to good at the filters. > > I was thinking the "Machine Account" was an OU > but whats strange also, why is that machine account in the "user", and > not in "Computers" > i dont have any "computer" in the users OU.the "machine account" is a regular user that I created for non-joined "machines/services" to access AD directory information. I.e., it's a mostly unprivileged user (in cn=Users) that simply allows bind access to the directory for queries from external services such as nslcd - and in this specific case also Redmine (for group synchronization from AD). What I'm slightly worried about is that the OR-query should, from what I know about LDAP filters, return two results, as both groups exist, and just using the query (|(distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc=org) (distinguishedName=cn=Guests,cn=Builtin,dc=id,dc=modelnine,dc=org)) -> 2 results does return both groups. What breaks the search is AND-ing this query with the requirement that the returned objects have one of the specified dns and also (objectClass=group): this search returns no results: (&(objectClass=group) (|(distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc=org) (distinguishedName=cn=Guests,cn=Builtin,dc=id,dc=modelnine,dc=org))) -> 0 results What does return a (single) result (as it should) is asking for a single group with (objectClass=group) and a DN: (&(objectClass=group) (distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc=org)) -> 1 result I'm more than sure that the combined query "works" (returns two results) with a vanilla Debian Jessie Samba 4 installation (as I've had Redmine pull the groups for users from AD for quite some time) and I'm trying to recreate that now; it does not work anymore after upgrading the system to a Sernet Samba 4.2.3, and neither does it work against the Gentoo Samba 4.1.19 I have running on the system I posted the queries from. As Redmine uses a query of the form (&(objectClass=group)(|(distinguishedName=group1)(distinguishedName=group2)(distinguishedName=group3)(...))) resolve the memberOf-elements of a user (replacing group1, etc. with an OR-join of the DNs), and this does not return any elements, Redmine currently does not assign _any_ groups to users retrieved from AD, which is a show-stopper. Does this clear up better what the problem is? -- --- Heiko.
On 26/08/15 10:09, L.P.H. van Belle wrote:> ah, ok, yes, i didnt look to good at the filters. > > I was thinking the "Machine Account" was an OU > but whats strange also, why is that machine account in the "user", and not in "Computers" > i dont have any "computer" in the users OU. > > > > Gr. > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny >> Verzonden: woensdag 26 augustus 2015 11:02 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Strange behaviour with LDAP searches >> >> On 26/08/15 07:59, L.P.H. van Belle wrote: >>> I dont see the bug... >>> and i upgrade multiple debian wheezy to jessie, >>> and upgraded multiple samba 4.1.17 to sernet 4.2.3. >>> >>> but i see. >>> -D "cn=Machine Account,cn=Users,dc=id,dc=modelnine,dc=org" >>> shouldnt this be -D "OU=Machine >> Account,cn=Users,dc=id,dc=modelnine,dc=org" ? >> >> Hi Louis, sorry but no, 'Machine Account' appears to be a user :-) >> >> I think the problem is this: >> >> (&(objectClass=group)(|(distinguishedName=cn=Users,cn=Builtin,d >> c=id,dc=modelnine,dc=org)(distinguishedName=cn=Guests,cn=Builti >> n,dc=id,dc=modelnine,dc=org))) >> >> If you break it down, it tries to search for: >> >> *AN* >> >> (objectClass=group) >> >> *AND* >> >> (distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc=org) >> >> *OR* >> >> (distinguishedName=cn=Guests,cn=Builtin,dc=id,dc=modelnine,dc=org) >> >> I think the *OR* is the problem, the search cannot decide which to >> search in because they both exist, so it returns nothing. It isn't an >> ldapsearch problem because ldbsearch returns the same result. >> >> Rowland >> >>> If your using windows RATS. >>> >>> enable the advanced view. ( view - 3e from below. ) >>> Now go to the object, get the properties, tab FeaturesEditor >>> look for the distinguishedName. >>> Look if its correct, i bet not. >>> >>> >>> Greetz, >>> >>> Louis >>> >>> >>> >>>> -----Oorspronkelijk bericht----- >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Heiko Wundram >>>> Verzonden: dinsdag 25 augustus 2015 23:25 >>>> Aan: samba >>>> Onderwerp: [Samba] Strange behaviour with LDAP searches >>>> >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA256 >>>> >>>> Hey, >>>> >>>> I stumbled across strange behaviour with LDAP searches >> against a Samba >>>> 4 AD today, where queries for (&(objectClass=x)(|(...)(...)))" won't >>>> deliver any result, whereas queries (|(...)(...)) will function >>>> correctly. To illustrate: >>>> >>>> - --- >>>> modelnine at xdom00 ~ $ ldapsearch -H ldap://id.modelnine.org -b >>>> "dc=id,dc=modelnine,dc=org" -W -D "cn=Machine >>>> Account,cn=Users,dc=id,dc=modelnine,dc=org" >>>> "(|(distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc >>>> =org)(distinguishedName=cn=Guests,cn=Builtin,dc=id,dc=modelnine >>>> ,dc=org))" >>>> ... >>>> # LDAPv3 >>>> # base <dc=id,dc=modelnine,dc=org> with scope subtree >>>> # filter: >>>> (|(distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc>>>> >> org)(distinguishedName=cn=Guests,cn=Builtin,dc=id,dc=modelnine,dc=org)) >>>> # requesting: ALL >>>> # >>>> >>>> # Guests, Builtin, id.modelnine.org >>>> dn: CN=Guests,CN=Builtin,DC=id,DC=modelnine,DC=org >>>> objectClass: top >>>> objectClass: group >>>> cn: Guests >>>> ... >>>> >>>> # Users, Builtin, id.modelnine.org >>>> dn: CN=Users,CN=Builtin,DC=id,DC=modelnine,DC=org >>>> objectClass: top >>>> objectClass: group >>>> cn: Users >>>> ... >>>> >>>> # search result >>>> search: 2 >>>> result: 0 Success >>>> >>>> # numResponses: 6 >>>> # numEntries: 2 >>>> # numReferences: 3 >>>> - --- >>>> >>>> vs. >>>> >>>> - --- >>>> modelnine at xdom00 ~ $ ldapsearch -H ldap://id.modelnine.org -b >>>> "dc=id,dc=modelnine,dc=org" -W -D "cn=Machine >>>> Account,cn=Users,dc=id,dc=modelnine,dc=org" >>>> "(&(objectClass=group)(|(distinguishedName=cn=Users,cn=Builtin, >>>> dc=id,dc=modelnine,dc=org)(distinguishedName=cn=Guests,cn=Built >>>> in,dc=id,dc=modelnine,dc=org)))" >>>> ... >>>> # LDAPv3 >>>> # base <dc=id,dc=modelnine,dc=org> with scope subtree >>>> # filter: >>>> (&(objectClass=group)(|(distinguishedName=cn=Users,cn=Builtin,d >>>> c=id,dc=modelnine,dc=org)(distinguishedName=cn=Guests,cn=Builti >>>> n,dc=id,dc=modelnine,dc=org))) >>>> # requesting: ALL >>>> # >>>> >>>> ... >>>> >>>> # search result >>>> search: 2 >>>> result: 0 Success >>>> >>>> # numResponses: 4 >>>> # numReferences: 3 >>>> - --- >>>> >>>> Searching with (objectClass=...) but only one >> (distinguishedName=...) >>>> specifier yields the correct result: >>>> >>>> - --- >>>> modelnine at xdom00 ~ $ ldapsearch -H ldap://id.modelnine.org -b >>>> "dc=id,dc=modelnine,dc=org" -W -D "cn=Machine >>>> Account,cn=Users,dc=id,dc=modelnine,dc=org" >>>> "(&(objectClass=group)(distinguishedName=cn=Users,cn=Builtin,dc >>>> =id,dc=modelnine,dc=org))" >>>> ... >>>> # LDAPv3 >>>> # base <dc=id,dc=modelnine,dc=org> with scope subtree >>>> # filter: >>>> (&(objectClass=group)(distinguishedName=cn=Users,cn=Builtin,dc>>>> id,dc=modelnine,dc=org)) >>>> # requesting: ALL >>>> # >>>> >>>> # Users, Builtin, id.modelnine.org >>>> dn: CN=Users,CN=Builtin,DC=id,DC=modelnine,DC=org >>>> objectClass: top >>>> objectClass: group >>>> cn: Users >>>> ... >>>> >>>> # search result >>>> search: 2 >>>> result: 0 Success >>>> >>>> # numResponses: 5 >>>> # numEntries: 1 >>>> # numReferences: 3 >>>> - --- >>>> >>>> Is this expected behaviour (I don't think so, at least I wouldn't >>>> understand why)? Anyway, the above seems to be happening >> with Samba 4 >>>> starting from somewhere around 4.1.17 and tdb 1.3.6, as I can >>>> reproduce it with an installation of 4.1.19 and a current 4.2.3 >>>> (sernet packages on Debian), whereas the above queries must have >>>> functioned correctly on a vanilla Debian Jessie installation >>>> beforehand (as there is software such as Redmine plugins >> which rely on >>>> being able to search for (objectClass=...)(|(dn=...)(dn=...))). >>>> >>>> Thanks for any heads up, and I'll gladly make a bug report >> out of this! >>>> - -- >>>> Heiko Wundram. >>>> -----BEGIN PGP SIGNATURE----- >>>> Version: GnuPG v2 >>>> >>>> iQIcBAEBCAAGBQJV3N04AAoJEJ/eyTFUqXhd7esP/jYMSZI0Th9ApdhA2tWwch5v >>>> b79QeN/HricCSLKIm1/VMr5EzQ3GJZxKqeTfBlmj1C7yrw2ovsCkHcSHypGyrmsx >>>> E2PP5vSr/lMYPpLWLso6eqJnu5b5D+A3ZW5aNYCN9h8OLTO31KqxHsJwoIIqILMX >>>> gIc3GMu7HjtzWR61mBCxQ+RyB/sLLQJELWNIICp2VLqLdc5HRJDXIvu5+3S3Wt3Y >>>> 9l1W/c/78cQ3kn7mL6sdt85HAQLuIAJmA7twM97Lc96BLVjwRRDXJMabPv1gO7lh >>>> Q0/eX2/SQVol4OU8AbtEbXgLpRxljxoqNZLZF3YgS4dg9V3W7+QL42XCJA67/R8H >>>> L0xIyzCN74dUEs+ngytDNkyc8K8bg0QKpfzK+X/WkNj624wD/Tpssm1GdkBiSZgR >>>> GgIN91AFI7y2UysEJ+R7PLs2O27+7PAFhRie3Cbx95/RYKT3PpecTl3Zh2wAuZJL >>>> iqGfsA6Dbj3TGW4+HuF61kYyeQQM9dP5M2wRK/wq39zSZRkzHDU2HSJ76/FYPgUB >>>> D9O1AZPIB9OD+qvzN7eadpp54XPEsXQxEl7j3eKYQ9vXa2+hQFXnucSad80hDoCH >>>> KNUDaV4ZI/uTZho7pCoOrlHw6SYIaD8vF7dIb/dLtIsDbieZ4wYqMrlbv/WPbjPE >>>> HyU6wA04nYzCVRjpYOt9 >>>> =vTTB >>>> -----END PGP SIGNATURE----- >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>>> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >Neither do I, but I don't think "Machine Account" is a computer. I think it is an administrative user i.e. 'Mr M Account' :-D Rowland
On 26/08/15 10:23, Heiko Wundram wrote:> Hey, > > Am 26.08.2015 11:09, schrieb L.P.H. van Belle: >> ah, ok, yes, i didnt look to good at the filters. >> >> I was thinking the "Machine Account" was an OU >> but whats strange also, why is that machine account in the "user", and >> not in "Computers" >> i dont have any "computer" in the users OU. > > the "machine account" is a regular user that I created for non-joined > "machines/services" to access AD directory information. I.e., it's a > mostly unprivileged user (in cn=Users) that simply allows bind access > to the directory for queries from external services such as nslcd - > and in this specific case also Redmine (for group synchronization from > AD). > > What I'm slightly worried about is that the OR-query should, from what > I know about LDAP filters, return two results, as both groups exist, > and just using the query > > (|(distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc=org) > (distinguishedName=cn=Guests,cn=Builtin,dc=id,dc=modelnine,dc=org)) > > -> 2 results > > does return both groups. What breaks the search is AND-ing this query > with the requirement that the returned objects have one of the > specified dns and also (objectClass=group): this search returns no > results: > > (&(objectClass=group) > (|(distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc=org) > (distinguishedName=cn=Guests,cn=Builtin,dc=id,dc=modelnine,dc=org))) > > -> 0 results > > What does return a (single) result (as it should) is asking for a > single group with (objectClass=group) and a DN: > > (&(objectClass=group) > (distinguishedName=cn=Users,cn=Builtin,dc=id,dc=modelnine,dc=org)) > > -> 1 result > > I'm more than sure that the combined query "works" (returns two > results) with a vanilla Debian Jessie Samba 4 installationIt doesn't work for me on Debian wheezy with samba from backports: 4.1.17-Debian Rowland> (as I've had Redmine pull the groups for users from AD for quite some > time) and I'm trying to recreate that now; it does not work anymore > after upgrading the system to a Sernet Samba 4.2.3, and neither does > it work against the Gentoo Samba 4.1.19 I have running on the system I > posted the queries from. > > As Redmine uses a query of the form > (&(objectClass=group)(|(distinguishedName=group1)(distinguishedName=group2)(distinguishedName=group3)(...))) > resolve the memberOf-elements of a user (replacing group1, etc. with > an OR-join of the DNs), and this does not return any elements, Redmine > currently does not assign _any_ groups to users retrieved from AD, > which is a show-stopper. > > Does this clear up better what the problem is? >