samba - Dec 2015 - Nested Group control doesn't work

Hey guys,

We can perform this LDAP query against Windows Server 2012 no problem, but
against samba it's failing:

(&(sAMAccountName={0})(memberOf:1.2.840.113556.1.4.1941:=CN=graylog_users,OU=Applications,OU=Groups,DC=ad,DC=corp,DC=xxx,DC=com))

Is that "nested group" tree control
(memberOf:1.2.840.113556.1.4.1941:)
supported? If not, is there a better way to design this ldap search so it
supports nested groups?

-- 
Email Confidentiality Notice: The information contained in this 
transmission is confidential, proprietary or privileged and may be subject 
to protection under the law, including the Health Insurance Portability and 
Accountability Act (HIPAA). The message is intended for the sole use of the 
individual or entity to whom it is addressed. If you are not the intended 
recipient, you are notified that any use, distribution or copying of the 
message is strictly prohibited and may subject you to criminal or civil 
penalties. If you received this transmission in error, please contact the 
sender immediately by replying to this email and delete the material from 
any computer.

On Sat, 2015-12-12 at 10:25 -0600, Jonathan S. Fisher
wrote:
> Hey guys,
> 
> We can perform this LDAP query against Windows Server 2012 no
> problem, but
> against samba it's failing:
> 
> (&(sAMAccountName={0})(memberOf:1.2.840.113556.1.4.1941:=CN=graylog_u
> sers,OU=Applications,OU=Groups,DC=ad,DC=corp,DC=xxx,DC=com))
> 
> Is that "nested group" tree control
> (memberOf:1.2.840.113556.1.4.1941:)
> supported? If not, is there a better way to design this ldap search
> so it
> supports nested groups?
No, it is not currently supported.  It made it into Samba master, but
was reverted due to a crash bug pointed out on:
https://bugzilla.samba.org/show_bug.cgi?id=10493

We hope to return it for 4.4.

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

Thanks, that's extremely helpful. I searched but wasn't able to find
that
bug report.... Just to clarify, there are no known workarounds, correct?

*Jonathan S. Fisher*
*VP - Information Technology*
*Spring Venture Group*

On Sat, Dec 12, 2015 at 10:06 PM, Andrew Bartlett <abartlet at samba.org>
wrote:
> On Sat, 2015-12-12 at 10:25 -0600, Jonathan S. Fisher wrote:
> > Hey guys,
> >
> > We can perform this LDAP query against Windows Server 2012 no
> > problem, but
> > against samba it's failing:
> >
> >
(&(sAMAccountName={0})(memberOf:1.2.840.113556.1.4.1941:=CN=graylog_u
> > sers,OU=Applications,OU=Groups,DC=ad,DC=corp,DC=xxx,DC=com))
> >
> > Is that "nested group" tree control
> > (memberOf:1.2.840.113556.1.4.1941:)
> > supported? If not, is there a better way to design this ldap search
> > so it
> > supports nested groups?
>
> No, it is not currently supported.  It made it into Samba master, but
> was reverted due to a crash bug pointed out on:
> https://bugzilla.samba.org/show_bug.cgi?id=10493
>
> We hope to return it for 4.4.
>
> Andrew Bartlett
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT
> http://catalyst.net.nz/services/samba
>
>
>
>
-- 
Email Confidentiality Notice: The information contained in this 
transmission is confidential, proprietary or privileged and may be subject 
to protection under the law, including the Health Insurance Portability and 
Accountability Act (HIPAA). The message is intended for the sole use of the 
individual or entity to whom it is addressed. If you are not the intended 
recipient, you are notified that any use, distribution or copying of the 
message is strictly prohibited and may subject you to criminal or civil 
penalties. If you received this transmission in error, please contact the 
sender immediately by replying to this email and delete the material from 
any computer.