samba - Nov 2023 - LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?

Op 06-11-2023 om 14:58 schreef Jonathan Hunter:
> Thank you Kees.
>
> On Mon, 6 Nov 2023 at 09:37, Kees van Vloten via samba
> <samba at lists.samba.org> wrote:
>> I am currently running at 4.19.2 but I have run 4.18.6 and 4.18.5. I
did
>> not experience any issues with nested group lookups, which many of the
>> filters rely on.
> Interestingly, I've now found that (on my current DCs, running
> 4.18.5), ldbsearch *does* seem to return the expected result, but the
> same query via ldapsearch does not.
>
> dc2$ sudo ldbsearch -H /usr/local/samba/private/sam.ldb
>
"(&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=CN=somegroup,OU>
someou,DC=mydomain,DC=org))" samAccountName
> # Record 1
> [...]
> # record 39
> dn: CN=A User,OU=Users,OU=someou,DC=mydomain,DC=org
> sAMAccountName: auser
>
> # Referral
> [...]
> # returned 42 records
> # 39 entries
> # 3 referrals
>
>
> whereas no results are returned for the same query run via ldapsearch,
> even running the search as the domain administrator.
>
> dc2$ ldapsearch -H ldaps://dc2.mydomain.org -x -W -D
> Administrator at mydomain -b "dc=mydomain,dc=org"
>
"(&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=CN=somegroup,OU=someou,DC=mydomain,DC=org))"
> samAccountName
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <dc=mydomain,dc=org> with scope subtree
> # filter:
(&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=CN=somegroup,OU=someou,DC=mydomain,DC=org)
> # requesting: samAccountName
> #
>
> # search reference
> [...]
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 4
> # numReferences: 3
What if you try to use starttls instead of ldaps?

ldapseach -H ldap://dc2.mydomain.org-ZZ -x -W -D Administrator at mydomain 
-b "dc=mydomain,dc=org" 
"(&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=CN=somegroup,OU=someou,DC=mydomain,DC=org))"
>> And although the script uses ldbsearch locally on the DC, many
>> applications use similar queries over the wire.
>>
>> If it does not show the desired output for you, it may be worth looking
>> at configuration differences, because I had and have no issues
>> whatsoever with this functionality.
> Thanks, it's good to know that it does work for others, at least.
> There is undoubtedly something about my configuration that is
> different from others; I don't know if it's having members of
groups
> from different OUs across the domain, or perhaps permissions that have
> been set over the years delegating ownership of different OUs, etc..
> but it's interesting that I am seeing different behaviour between
> ldbsearch and ldapsearch now.
>
> (Andrew - I'm wondering if I can script startup of samba in docker
> containers after restoring from a domain backup, that I could call
> from git bisect. Do you know if anyone has scripts to do that sort of
> thing already? It's not impossible for me to create, of course, but
> it's always better to use an existing working script if there is one.
> So far, my git bisect calls a script that compiles each samba version
> and runs ldbsearch, checking for number of results returned; but based
> on the above findings that's always going to succeed, so I think I
> will need to switch to ldapsearch instead)
>
> Cheers
>
> Jonathan

On Mon, 6 Nov 2023 at 14:32, Kees van Vloten <keesvanvloten at gmail.com>
wrote:
>
>
> Op 06-11-2023 om 14:58 schreef Jonathan Hunter:
> > Interestingly, I've now found that (on my current DCs, running
> > 4.18.5), ldbsearch *does* seem to return the expected result, but the
> > same query via ldapsearch does not.
>
> What if you try to use starttls instead of ldaps?
>
> ldapseach -H ldap://dc2.mydomain.org-ZZ -x -W -D Administrator at mydomain
> -b "dc=mydomain,dc=org"
>
"(&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=CN=somegroup,OU=someou,DC=mydomain,DC=org))"
Good thinking. Unfortunately, identical results with ldap:// and -ZZ,
the search still doesn't return any results :(

I'll figure out a way to script restoration of the domain into
different samba versions via docker, and use git bisect to track down
when things changed.

Thanks

Jonathan

On Mon, 2023-11-06 at 15:32 +0100, Kees van Vloten via samba
wrote:
> Op 06-11-2023 om 14:58 schreef Jonathan Hunter:
> 
> > Thank you Kees.
> > On Mon, 6 Nov 2023 at 09:37, Kees van Vloten via samba
> > <
> > samba at lists.samba.org
> > > wrote:
> > > I am currently running at 4.19.2 but I have run 4.18.6 and
> > > 4.18.5. I did
> > > not experience any issues with nested group lookups, which many
> > > of the
> > > filters rely on.
> > Interestingly, I've now found that (on my current DCs, running
> > 4.18.5), ldbsearch *does* seem to return the expected result, but
> > the
> > same query via ldapsearch does not.
Just to narrow this down, can you look into ldbsearch -H ldap:// vs
ldapsearch -H ldap://

This will eliminate some protocol issues between the codebases.

Andrew Bartlett


-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions