Kees van Vloten
2023-Nov-06 09:36 UTC
[Samba] LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?
Op 05-11-2023 om 23:25 schreef Jonathan Hunter via samba:> I'm quite confused by this one, as I can't see how this would happen.. > but after upgrading my DCs from 4.11.10 to 4.18.5, LDAP searches don't > seem to work if they use the :1.2.840.113556.1.4.1941: modifier, aka > LDAP_MATCHING_RULE_IN_CHAIN. (Yes, it was a fairly big version jump.. > Yes, I should have upgraded much earlier.. Yes, I know 4.19.x is out > now as well) > > Here's a search that now returns nothing after my DC upgrades; this > exact search used to work just fine: > (& > (objectCategory=Person) > (sAMAccountName=*) > (memberOf:1.2.840.113556.1.4.1941:=CN=somegroup,OU=someou,DC=mydomain,DC=org) > ) > > But if I remove the matching rule specifier, it does return a number of results: > (& > (objectCategory=Person) > (sAMAccountName=*) > (memberOf=CN=somegroup,OU=someou,DC=mydomain,DC=org) > ) > > The data in my AD hasn't changed; I am guessing that > LDAP_MATCHING_RULE_IN_CHAIN is still supported in 4.18 and most likely > something didn't quite go perfectly to plan during the upgrade of my > DCs. > > Looking at a sample user object, I can see the group listed in the > user's memberOf attribute (i.e. the user is a direct member of the > group) - so I'm not sure why a search using > LDAP_MATCHING_RULE_IN_CHAIN simply returns no results now.I am currently running at 4.19.2 but I have run 4.18.6 and 4.18.5. I did not experience any issues with nested group lookups, which many of the filters rely on. To query a user's nested groups I use this little script (on the DCs): #!/bin/bash if [[ $# -lt 1 ]]; then ??? echo "Usage: $0 <ldap_object>" ??? echo "??? ldap_object?? name of a computer, user or group" ??? exit 1 fi OBJECT=$1 BASE_DN="DC=$(dnsdomainname | sed 's/\./,DC=/g')" # Use UID instead of sAMAccountName because it does not have the $ ending for computer accounts OBJECT_DN="$(ldbsearch -H /var/lib/samba/private/sam.ldb -b "${BASE_DN}" "(|(CN=${OBJECT})(UID=${OBJECT}))" 2> /dev/null | ??? grep 'dn:' | cut -d ' ' -f 2-)" #echo "Object DN: ${OBJECT_DN}" #echo "Nested group memberships:" ldbsearch -H /var/lib/samba/private/sam.ldb -b "${BASE_DN}" \ "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=${OBJECT_DN}))" cn 2> /dev/null | ??? grep 'cn:' | cut -d ' ' -f 2- | sort And the reverse to get all users in a nested group: #!/bin/bash if [[ $# -lt 1 ]]; then ??? echo "Usage: $0 <ldap_object>" ??? echo "??? ldap_object?? name of group" ??? exit 1 fi OBJECT=$1 BASE_DN="DC=$(dnsdomainname | sed 's/\./,DC=/g')" # Use UID instead of sAMAccountName because it does not have the $ ending for computer accounts OBJECT_DN="$(ldbsearch -H /var/lib/samba/private/sam.ldb -b "${BASE_DN}" "(|(CN=${OBJECT})(UID=${OBJECT}))" 2> /dev/null | ??? grep 'dn:' | cut -d ' ' -f 2-)" #echo "Object DN: ${OBJECT_DN}" #echo "Nested group memberships:" ldbsearch -H /var/lib/samba/private/sam.ldb -b "${BASE_DN}" \ "(&(objectCategory=person)(memberof:1.2.840.113556.1.4.1941:=${OBJECT_DN}))" 2> /dev/null | ??? grep 'cn:' | cut -d ' ' -f 2- | sort And although the script uses ldbsearch locally on the DC, many applications use similar queries over the wire. If it does not show the desired output for you, it may be worth looking at configuration differences, because I had and have no issues whatsoever with this functionality. - Kees.> > Are there any indexes or internal values I could check, to see if I > can debug this any further? A 'samba-tool dbcheck --cross-ncs' didn't > reveal anything, but I'm not sure of the best way to investigate this > one further. > > Thanks for any pointers, > > Cheers > > Jonathan >
Jonathan Hunter
2023-Nov-06 13:58 UTC
[Samba] LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?
Thank you Kees. On Mon, 6 Nov 2023 at 09:37, Kees van Vloten via samba <samba at lists.samba.org> wrote:> I am currently running at 4.19.2 but I have run 4.18.6 and 4.18.5. I did > not experience any issues with nested group lookups, which many of the > filters rely on.Interestingly, I've now found that (on my current DCs, running 4.18.5), ldbsearch *does* seem to return the expected result, but the same query via ldapsearch does not. dc2$ sudo ldbsearch -H /usr/local/samba/private/sam.ldb "(&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=CN=somegroup,OUsomeou,DC=mydomain,DC=org))" samAccountName # Record 1 [...] # record 39 dn: CN=A User,OU=Users,OU=someou,DC=mydomain,DC=org sAMAccountName: auser # Referral [...] # returned 42 records # 39 entries # 3 referrals whereas no results are returned for the same query run via ldapsearch, even running the search as the domain administrator. dc2$ ldapsearch -H ldaps://dc2.mydomain.org -x -W -D Administrator at mydomain -b "dc=mydomain,dc=org" "(&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=CN=somegroup,OU=someou,DC=mydomain,DC=org))" samAccountName Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=mydomain,dc=org> with scope subtree # filter: (&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=CN=somegroup,OU=someou,DC=mydomain,DC=org) # requesting: samAccountName # # search reference [...] # search result search: 2 result: 0 Success # numResponses: 4 # numReferences: 3> And although the script uses ldbsearch locally on the DC, many > applications use similar queries over the wire. > > If it does not show the desired output for you, it may be worth looking > at configuration differences, because I had and have no issues > whatsoever with this functionality.Thanks, it's good to know that it does work for others, at least. There is undoubtedly something about my configuration that is different from others; I don't know if it's having members of groups from different OUs across the domain, or perhaps permissions that have been set over the years delegating ownership of different OUs, etc.. but it's interesting that I am seeing different behaviour between ldbsearch and ldapsearch now. (Andrew - I'm wondering if I can script startup of samba in docker containers after restoring from a domain backup, that I could call from git bisect. Do you know if anyone has scripts to do that sort of thing already? It's not impossible for me to create, of course, but it's always better to use an existing working script if there is one. So far, my git bisect calls a script that compiles each samba version and runs ldbsearch, checking for number of results returned; but based on the above findings that's always going to succeed, so I think I will need to switch to ldapsearch instead) Cheers Jonathan
Possibly Parallel Threads
- LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?
- LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?
- LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?
- LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?
- LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?