samba - Feb 2023 - Group members via LDAP

On 08/02/2023 18:36, Troels Arvin via samba wrote:
> Hello,
> 
> Rowland Penny wrote:
>> I don't use ldapsearch much (I use ldbsearch etc, easier to use
with
>> kerberos),
> 
> Actually, I'm not going to retrieve the data from ldapsearch, but in a 
> Rust or Python program, and I'm going to be searching from a different 
> server than the Samba server. I suppose that means I cannot make use of 
> ldbsearch, right?
Depends, if you can install it, you should be able to use it (as long as 
all the required dependencies are also installed)
> 
> Anyway, when searching with ldbsearch, it also leaves out a group 
> member, if the member has the group as the primary group.
If by 'primary group' you mean the users primaryGroupID attribute has 
been changed from '513', then this is to be expected. Every user is 
usually a member of Domain Users, but that group doesn't have any 
'member' attributes. (and the users do not have a memberof attribute).
> 
> 
> 
>> but don't you have to use a searchbase ?
>>
>> i.e, -b 'dc=mydom,dc=org'
> 
> The base DN is left out of the query, because I've defined it in 
> /etc/openldap/ldap.conf
> 
> [...]
> BASE DC=mydom,DC=org
> [...]
> 
Ah, never thought of that.

Trouble is, this works for myself on a DC:

SAMDOM\rowland at rpidc1:~ $ ldapsearch samaccountname='testgroup'
member
SASL/GSS-SPNEGO authentication started
SASL username: rowland at SAMDOM.EXAMPLE.COM
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=samdom,dc=example,dc=com> (default) with scope subtree
# filter: samaccountname=testgroup
# requesting: member
#

# testgroup, Users, samdom.example.com
dn: CN=testgroup,CN=Users,DC=samdom,DC=example,DC=com
member: CN=rowland,CN=Users,DC=samdom,DC=example,DC=com

# search reference
ref: ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com

# search reference
ref: ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com

# search reference
ref: ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com

# search result
search: 3
result: 0 Success

# numResponses: 5
# numEntries: 1
# numReferences: 3

So I think we need more info:

What OS ?
What Samba version ?
The output of 'samba-tool testparm'

Rowland

Hello,

Rowland Penny wrote:
>> Anyway, when searching with ldbsearch, it also leaves out a group 
>> member, if the member has the group as the primary group.
> 
> If by 'primary group' you mean the users primaryGroupID attribute
has
> been changed from '513', then this is to be expected. Every user is
> usually a member of Domain Users, but that group doesn't have any 
> 'member' attributes. (and the users do not have a memberof
attribute).
The users indeed don't have 513 as primaryGroupID.

Maybe I need to iterate over all users and collect a set of 
primaryGroupID values and then somehow look those up as groups; however, 
there doesn't seem to be a group attribute mathing values I see for 
primaryGroupID.


> What OS ?
> What Samba version ?
> The output of 'samba-tool testparm'
The Samba server runs Fedora Linux 37, Samba version 4.17.5.

The LDAP client is also Fedora 37, Samba client version also 4.17.5; 
this host is joined to the Samba AD domain using "realm join ...".


Output from "samba-tool testparm" on the server:
===========================================================me at dc1 ~]$
samba-tool testparm
INFO 2023-02-08 21:08:55,860 pid:904 
/usr/lib64/python3.11/site-packages/samba/netcmd/testparm.py #96: Loaded 
smb config files from /etc/samba/smb.conf
INFO 2023-02-08 21:08:55,860 pid:904 
/usr/lib64/python3.11/site-packages/samba/netcmd/testparm.py #97: Loaded 
services file OK.
Press enter to see a dump of your service definitions

# Global parameters
[global]
   disable netbios = Yes
   dns forwarder = 1.1.1.1 2.2.2.2 1111:2222:0:1::3 3333:4444:0:1::5
   netbios name = DC1
   realm = MYDOM.ORG
   server role = active directory domain controller
   workgroup = MYDOM
===========================================================
Interestingly, "getent group mygroup" gives me the output I had 
expected, i.e. it returns me a list of all members, including users who 
have mygroup as primary group. I have, however, not yet managed to find 
which code does which LDAP lookup(s) to find the information.

-- 
Troels