samba - Nov 2023 - LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?

On Mon, 6 Nov 2023 at 14:32, Kees van Vloten <keesvanvloten at gmail.com>
wrote:
>
>
> Op 06-11-2023 om 14:58 schreef Jonathan Hunter:
> > Interestingly, I've now found that (on my current DCs, running
> > 4.18.5), ldbsearch *does* seem to return the expected result, but the
> > same query via ldapsearch does not.
>
> What if you try to use starttls instead of ldaps?
>
> ldapseach -H ldap://dc2.mydomain.org-ZZ -x -W -D Administrator at mydomain
> -b "dc=mydomain,dc=org"
>
"(&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=CN=somegroup,OU=someou,DC=mydomain,DC=org))"
Good thinking. Unfortunately, identical results with ldap:// and -ZZ,
the search still doesn't return any results :(

I'll figure out a way to script restoration of the domain into
different samba versions via docker, and use git bisect to track down
when things changed.

Thanks

Jonathan

Op 06-11-2023 om 15:40 schreef Jonathan Hunter:
> On Mon, 6 Nov 2023 at 14:32, Kees van Vloten <keesvanvloten at
gmail.com> wrote:
>>
>> Op 06-11-2023 om 14:58 schreef Jonathan Hunter:
>>> Interestingly, I've now found that (on my current DCs, running
>>> 4.18.5), ldbsearch *does* seem to return the expected result, but
the
>>> same query via ldapsearch does not.
>> What if you try to use starttls instead of ldaps?
>>
>> ldapseach -H ldap://dc2.mydomain.org-ZZ -x -W -D Administrator at
mydomain
>> -b "dc=mydomain,dc=org"
>>
"(&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=CN=somegroup,OU=someou,DC=mydomain,DC=org))"
> Good thinking. Unfortunately, identical results with ldap:// and -ZZ,
> the search still doesn't return any results :(
>
> I'll figure out a way to script restoration of the domain into
> different samba versions via docker, and use git bisect to track down
> when things changed.
I don't know if a Samba DC can be installed in Docker.

I am running it in Lxc (privileged container) and that works fine.

- Kees.
> Thanks
>
> Jonathan

Op 06-11-2023 om 15:40 schreef Jonathan Hunter:
> On Mon, 6 Nov 2023 at 14:32, Kees van Vloten <keesvanvloten at
gmail.com> wrote:
>>
>> Op 06-11-2023 om 14:58 schreef Jonathan Hunter:
>>> Interestingly, I've now found that (on my current DCs, running
>>> 4.18.5), ldbsearch *does* seem to return the expected result, but
the
>>> same query via ldapsearch does not.
>> What if you try to use starttls instead of ldaps?
>>
>> ldapseach -H ldap://dc2.mydomain.org-ZZ -x -W -D Administrator at
mydomain
>> -b "dc=mydomain,dc=org"
>>
"(&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=CN=somegroup,OU=someou,DC=mydomain,DC=org))"
> Good thinking. Unfortunately, identical results with ldap:// and -ZZ,
> the search still doesn't return any results :(
>
> I'll figure out a way to script restoration of the domain into
> different samba versions via docker, and use git bisect to track down
> when things changed.
Another thought: you could share your smb.conf, perhaps somebody finds 
the culprit, if? that's the issue.
> Thanks
>
> Jonathan