samba - Mar 2021 - Samba LDAP: memberOf attribute not readable by non-admin users?

On 22/03/2021 23:29, Flavio Stanchina via samba wrote:
> We're migrating a customer's network to Samba AD using Zentyal and 
> we're reconfiguring several services to use AD for authentication.
>
> We've created a dedicated, unprivileged user for each service to bind 
> to AD, but we're having some problems with grouping. We'd like to
use
> filters like this to limit access:
> memberOf=CN=VPN Users,CN=Groups,DC=domain
>
> ...but it appears that non-admin users can't access the memberOf 
> attribute, which I understand is not a "real" attribute but is
being
> synthesized on-the-fly from group memberships.
>
> A LDAP query like this won't return memberOf (without erroring out) if 
> the user is not a Domain Admin:
> ldapsearch -h dc1.domain -D user at domain -W \
> ? -b 'cn=Users,dc=domain' \
> ? sAMAccountName memberOf
>
> I tried this against a Windows DC and it works as expected (Win 2016 
> if it matters, but I'm pretty sure I had it working on other versions).
>
> Is this expected?
>
> Is there a way to set ACLs or other permissions on the LDAP 
> attributes? I tried all the searches I could think of on this subject, 
> but couldn't find anything.
>
> Should I try with a fresh and clean Samba installation instead of 
> Zentyal? Would official Debian "buster" Samba packages be any
good?
>
> Sorry for many questions and fragmentary data, but this isn't 
> something I do often and I wasn't expecting this particular problem. 
> Any additional info you need to help me, just ask.
>
this works for me against a Samba DC:

ldapsearch -x -h dc4.samdom.example.com -D rowland at SAMDOM.EXAMPLE.COM -W 
-b 'cn=Users,dc=samdom,dc=example,dc=com' sAMAccountName memberOf

Though it doesn't work against my other DC, it needs stronger 
authentication.

Also 'memberOf' is an actual attribute, it isn't
'synthesised', it is
actually a linked attribute, it is linked with 'member'.

Rowland

On 23/03/21 10:02, Rowland penny via samba wrote:
> On 22/03/2021 23:29, Flavio Stanchina via samba wrote:
>> We're migrating a customer's network to Samba AD using Zentyal
[...]
>> ...but it appears that non-admin users can't access the memberOf 
>> attribute, which I understand is not a "real" attribute but
is being
>> synthesized on-the-fly from group memberships.
> 
> this works for me against a Samba DC:
> 
> ldapsearch -x -h dc4.samdom.example.com -D rowland at SAMDOM.EXAMPLE.COM -W
-b
> 'cn=Users,dc=samdom,dc=example,dc=com' sAMAccountName memberOf
> 
> Though it doesn't work against my other DC, it needs stronger
authentication.
Which is exactly my point. Are you sure "rowland" is not a Domain
Admin on
the first DC you tried? Or has some other privilege I'm not aware of, for 
that matter.

I thought I understood that any user should be able to read all attributes.
> Also 'memberOf' is an actual attribute, it isn't
'synthesised', it is
> actually a linked attribute, it is linked with 'member'.
Good to know. Yet, it doesn't work here :)

-- 
Ciao, Flavio

Those who do not understand Unix are condemned to reinvent it, poorly.
-- Henry Spencer