samba - Nov 2023 - LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?

Op 05-11-2023 om 23:25 schreef Jonathan Hunter via
samba:
> I'm quite confused by this one, as I can't see how this would
happen..
> but after upgrading my DCs from 4.11.10 to 4.18.5, LDAP searches don't
> seem to work if they use the :1.2.840.113556.1.4.1941: modifier, aka
> LDAP_MATCHING_RULE_IN_CHAIN. (Yes, it was a fairly big version jump..
> Yes, I should have upgraded much earlier.. Yes, I know 4.19.x is out
> now as well)
>
> Here's a search that now returns nothing after my DC upgrades; this
> exact search used to work just fine:
> (&
>      (objectCategory=Person)
>      (sAMAccountName=*)
>     
(memberOf:1.2.840.113556.1.4.1941:=CN=somegroup,OU=someou,DC=mydomain,DC=org)
> )
>
> But if I remove the matching rule specifier, it does return a number of
results:
> (&
>      (objectCategory=Person)
>      (sAMAccountName=*)
>      (memberOf=CN=somegroup,OU=someou,DC=mydomain,DC=org)
> )
>
> The data in my AD hasn't changed; I am guessing that
> LDAP_MATCHING_RULE_IN_CHAIN is still supported in 4.18 and most likely
> something didn't quite go perfectly to plan during the upgrade of my
> DCs.
>
> Looking at a sample user object, I can see the group listed in the
> user's memberOf attribute (i.e. the user is a direct member of the
> group) - so I'm not sure why a search using
> LDAP_MATCHING_RULE_IN_CHAIN simply returns no results now.
I am currently running at 4.19.2 but I have run 4.18.6 and 4.18.5. I did 
not experience any issues with nested group lookups, which many of the 
filters rely on.

To query a user's nested groups I use this little script (on the DCs):

#!/bin/bash

if [[ $# -lt 1 ]]; then
 ??? echo "Usage: $0 <ldap_object>"
 ??? echo "??? ldap_object?? name of a computer, user or group"
 ??? exit 1
fi
OBJECT=$1

BASE_DN="DC=$(dnsdomainname | sed 's/\./,DC=/g')"
# Use UID instead of sAMAccountName because it does not have the $ 
ending for computer accounts
OBJECT_DN="$(ldbsearch -H /var/lib/samba/private/sam.ldb -b
"${BASE_DN}"
"(|(CN=${OBJECT})(UID=${OBJECT}))" 2> /dev/null |
 ??? grep 'dn:' | cut -d ' ' -f 2-)"

#echo "Object DN: ${OBJECT_DN}"
#echo "Nested group memberships:"
ldbsearch -H /var/lib/samba/private/sam.ldb -b "${BASE_DN}" \
"(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=${OBJECT_DN}))"
cn 2> /dev/null |
 ??? grep 'cn:' | cut -d ' ' -f 2- | sort

And the reverse to get all users in a nested group:

#!/bin/bash

if [[ $# -lt 1 ]]; then
 ??? echo "Usage: $0 <ldap_object>"
 ??? echo "??? ldap_object?? name of group"
 ??? exit 1
fi
OBJECT=$1
BASE_DN="DC=$(dnsdomainname | sed 's/\./,DC=/g')"
# Use UID instead of sAMAccountName because it does not have the $ 
ending for computer accounts
OBJECT_DN="$(ldbsearch -H /var/lib/samba/private/sam.ldb -b
"${BASE_DN}"
"(|(CN=${OBJECT})(UID=${OBJECT}))" 2> /dev/null |
 ??? grep 'dn:' | cut -d ' ' -f 2-)"

#echo "Object DN: ${OBJECT_DN}"
#echo "Nested group memberships:"
ldbsearch -H /var/lib/samba/private/sam.ldb -b "${BASE_DN}" \
"(&(objectCategory=person)(memberof:1.2.840.113556.1.4.1941:=${OBJECT_DN}))"
2> /dev/null |
 ??? grep 'cn:' | cut -d ' ' -f 2- | sort

And although the script uses ldbsearch locally on the DC, many 
applications use similar queries over the wire.

If it does not show the desired output for you, it may be worth looking 
at configuration differences, because I had and have no issues 
whatsoever with this functionality.

- Kees.
>
> Are there any indexes or internal values I could check, to see if I
> can debug this any further? A 'samba-tool dbcheck --cross-ncs'
didn't
> reveal anything, but I'm not sure of the best way to investigate this
> one further.
>
> Thanks for any pointers,
>
> Cheers
>
> Jonathan
>

Thank you Kees.

On Mon, 6 Nov 2023 at 09:37, Kees van Vloten via samba
<samba at lists.samba.org> wrote:
> I am currently running at 4.19.2 but I have run 4.18.6 and 4.18.5. I did
> not experience any issues with nested group lookups, which many of the
> filters rely on.
Interestingly, I've now found that (on my current DCs, running
4.18.5), ldbsearch *does* seem to return the expected result, but the
same query via ldapsearch does not.

dc2$ sudo ldbsearch -H /usr/local/samba/private/sam.ldb
"(&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=CN=somegroup,OUsomeou,DC=mydomain,DC=org))"
samAccountName
# Record 1
[...]
# record 39
dn: CN=A User,OU=Users,OU=someou,DC=mydomain,DC=org
sAMAccountName: auser

# Referral
[...]
# returned 42 records
# 39 entries
# 3 referrals


whereas no results are returned for the same query run via ldapsearch,
even running the search as the domain administrator.

dc2$ ldapsearch -H ldaps://dc2.mydomain.org -x -W -D
Administrator at mydomain -b "dc=mydomain,dc=org"
"(&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=CN=somegroup,OU=someou,DC=mydomain,DC=org))"
samAccountName
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=mydomain,dc=org> with scope subtree
# filter:
(&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=CN=somegroup,OU=someou,DC=mydomain,DC=org)
# requesting: samAccountName
#

# search reference
[...]

# search result
search: 2
result: 0 Success

# numResponses: 4
# numReferences: 3
> And although the script uses ldbsearch locally on the DC, many
> applications use similar queries over the wire.
>
> If it does not show the desired output for you, it may be worth looking
> at configuration differences, because I had and have no issues
> whatsoever with this functionality.
Thanks, it's good to know that it does work for others, at least.
There is undoubtedly something about my configuration that is
different from others; I don't know if it's having members of groups
from different OUs across the domain, or perhaps permissions that have
been set over the years delegating ownership of different OUs, etc..
but it's interesting that I am seeing different behaviour between
ldbsearch and ldapsearch now.

(Andrew - I'm wondering if I can script startup of samba in docker
containers after restoring from a domain backup, that I could call
from git bisect. Do you know if anyone has scripts to do that sort of
thing already? It's not impossible for me to create, of course, but
it's always better to use an existing working script if there is one.
So far, my git bisect calls a script that compiles each samba version
and runs ldbsearch, checking for number of results returned; but based
on the above findings that's always going to succeed, so I think I
will need to switch to ldapsearch instead)

Cheers

Jonathan