Hey guys, We can perform this LDAP query against Windows Server 2012 no problem, but against samba it's failing: (&(sAMAccountName={0})(memberOf:1.2.840.113556.1.4.1941:=CN=graylog_users,OU=Applications,OU=Groups,DC=ad,DC=corp,DC=xxx,DC=com)) Is that "nested group" tree control (memberOf:1.2.840.113556.1.4.1941:) supported? If not, is there a better way to design this ldap search so it supports nested groups? -- Email Confidentiality Notice: The information contained in this transmission is confidential, proprietary or privileged and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act (HIPAA). The message is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, distribution or copying of the message is strictly prohibited and may subject you to criminal or civil penalties. If you received this transmission in error, please contact the sender immediately by replying to this email and delete the material from any computer.
On Sat, 2015-12-12 at 10:25 -0600, Jonathan S. Fisher wrote:> Hey guys, > > We can perform this LDAP query against Windows Server 2012 no > problem, but > against samba it's failing: > > (&(sAMAccountName={0})(memberOf:1.2.840.113556.1.4.1941:=CN=graylog_u > sers,OU=Applications,OU=Groups,DC=ad,DC=corp,DC=xxx,DC=com)) > > Is that "nested group" tree control > (memberOf:1.2.840.113556.1.4.1941:) > supported? If not, is there a better way to design this ldap search > so it > supports nested groups?No, it is not currently supported. It made it into Samba master, but was reverted due to a crash bug pointed out on: https://bugzilla.samba.org/show_bug.cgi?id=10493 We hope to return it for 4.4. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Thanks, that's extremely helpful. I searched but wasn't able to find that bug report.... Just to clarify, there are no known workarounds, correct? *Jonathan S. Fisher* *VP - Information Technology* *Spring Venture Group* On Sat, Dec 12, 2015 at 10:06 PM, Andrew Bartlett <abartlet at samba.org> wrote:> On Sat, 2015-12-12 at 10:25 -0600, Jonathan S. Fisher wrote: > > Hey guys, > > > > We can perform this LDAP query against Windows Server 2012 no > > problem, but > > against samba it's failing: > > > > (&(sAMAccountName={0})(memberOf:1.2.840.113556.1.4.1941:=CN=graylog_u > > sers,OU=Applications,OU=Groups,DC=ad,DC=corp,DC=xxx,DC=com)) > > > > Is that "nested group" tree control > > (memberOf:1.2.840.113556.1.4.1941:) > > supported? If not, is there a better way to design this ldap search > > so it > > supports nested groups? > > No, it is not currently supported. It made it into Samba master, but > was reverted due to a crash bug pointed out on: > https://bugzilla.samba.org/show_bug.cgi?id=10493 > > We hope to return it for 4.4. > > Andrew Bartlett > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT > http://catalyst.net.nz/services/samba > > > >-- Email Confidentiality Notice: The information contained in this transmission is confidential, proprietary or privileged and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act (HIPAA). The message is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, distribution or copying of the message is strictly prohibited and may subject you to criminal or civil penalties. If you received this transmission in error, please contact the sender immediately by replying to this email and delete the material from any computer.
Apparently Analagous Threads
- Nested Group control doesn't work
- After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command
- Using Samba AD/DC as an Active Directory OAuth provider for OpenShift
- After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command
- Using Samba AD/DC as an Active Directory OAuth provider for OpenShift