samba - Sep 2025 - sAMAccountType is any special attribute for ldbsearch?

First of all, I would like to thank everyone who at the turn of June/
July provided valuable advice for upgrading from Samba-4.9/Fedora to 
Samba-4.22/Debian - especially to Luis Peromart and Rowland Penny. 
The upgrade was successful, I'm trying to get used to Debian and so far 
it's working (but I have to admit that Fedora as a distribution still 
seems "cleaner" and "more refined" in terms of the packaging
system
and its own packages ;)

Now I've come across an interesting mystery that I can't explain:
I wanted to use ldbsearch to list user accounts by specifying the LDAP 
filter sAMAccountType == SAM_USER_OBJECT (=0x30000000 = 805306368).
And I don't understand the behavior of ldbsearch and I don't know how 
to explain and fix it. My attempts and results:

1)
# ldbsearch -H /var/lib/samba/private/sam.ldb.d/DC\=ZAMECEK\,DC\=HOME.ldb
"(sAMAccountType=805306368)" dn sAMAccountType
# returned 0 records
# 0 entries
# 0 referrals

Why the hell doesn't it work? And - this is interesting:

2)
# ldbsearch -H /var/lib/samba/private/sam.ldb.d/DC\=ZAMECEK\,DC\=HOME.ldb
"(sAMAccountType=*)" dn sAMAccountType|tail
dn: CN=sadilkova_k,OU=Z,DC=zamecek,DC=home
sAMAccountType: 805306368

# record 483
dn: CN=stuzhuk_a,OU=Z,DC=zamecek,DC=home
sAMAccountType: 805306368

# returned 483 records  <-- 483 records with sAMAccountType attrib
# 483 entries          and evidently some sAMAccountType = 805306368
# 0 referrals

3)
# ldbsearch -H /var/lib/samba/private/sam.ldb.d/DC\=ZAMECEK\,DC\=HOME.ldb
"(sAMAccountType=*805306368)" dn sAMAccountType|tail
dn: CN=sadilkova_k,OU=Z,DC=zamecek,DC=home
sAMAccountType: 805306368

# record 276
dn: CN=stuzhuk_a,OU=Z,DC=zamecek,DC=home
sAMAccountType: 805306368

# returned 276 records  <-- 276 records where sAMAccountType has
# 276 entries                   805306368 as substring (??)
# 0 referrals

4)
# ldbsearch -H /var/lib/samba/private/sam.ldb.d/DC\=ZAMECEK\,DC\=HOME.ldb
"(sAMAccountType<=805306368)" dn sAMAccountType|tail
dn: CN=sadilkova_k,OU=Z,DC=zamecek,DC=home
sAMAccountType: 805306368

# record 359
dn: CN=stuzhuk_a,OU=Z,DC=zamecek,DC=home
sAMAccountType: 805306368

# returned 359 records   <-- sAMAccountType behave as number
# 359 entries
# 0 referrals

5)
ldbsearch -H /var/lib/samba/private/sam.ldb.d/DC\=ZAMECEK\,DC\=HOME.ldb
"(sAMAccountType>=805306368)" dn sAMAccountType|tail
dn: CN=sadilkova_k,OU=Z,DC=zamecek,DC=home
sAMAccountType: 805306368

# record 400
dn: CN=stuzhuk_a,OU=Z,DC=zamecek,DC=home
sAMAccountType: 805306368

# returned 400 records   <-- sAMAccountType behave as number
# 400 entries
# 0 referrals

6)
# ldbsearch -H /var/lib/samba/private/sam.ldb.d/DC\=ZAMECEK\,DC\=HOME.ldb
"(&(sAMAccountType<=805306368)(sAMAccountType>=805306368))"
dn sAMAccountType|tail
dn: CN=sadilkova_k,OU=Z,DC=zamecek,DC=home
sAMAccountType: 805306368

# record 276
dn: CN=stuzhuk_a,OU=Z,DC=zamecek,DC=home
sAMAccountType: 805306368

# returned 276 records   <-- sAMAccountType behave as number
# 276 entries
# 0 referrals


It seems, as both
"(&(sAMAccountType<=805306368)(sAMAccountType>=805306368))"
and "(sAMAccountType=*805306368)" gives result which I want, but why
first
filter "(sAMAccountType=805306368)" return nothing?
-- 
TIA, Franta Hanzlik

On Thu, 18 Sep 2025 01:34:58 +0200
Franta Hanzl?k via samba <samba at lists.samba.org> wrote:
> [...]
> Now I've come across an interesting mystery that I can't explain:
> I wanted to use ldbsearch to list user accounts by specifying the LDAP 
> filter sAMAccountType == SAM_USER_OBJECT (=0x30000000 = 805306368).
> And I don't understand the behavior of ldbsearch and I don't know
how
> to explain and fix it. My attempts and results:
> 
> 1)
> # ldbsearch -H /var/lib/samba/private/sam.ldb.d/DC\=ZAMECEK\,DC\=HOME.ldb
"(sAMAccountType=805306368)" dn sAMAccountType
> # returned 0 records
> # 0 entries
> # 0 referrals
> 
> Why the hell doesn't it work? And - this is interesting:
> [...]
> -- 
Did I miss something in the LDAP/LDB filter syntax?
This example also returns no data, even though there are a number of 
records with distinguishedName matching pattern *,OU=T,DC=zamecek,DC=*

ldbsearch -H /var/lib/samba/private/sam.ldb.d/DC\=ZAMECEK\,DC\=HOME.ldb
"(distinguishedName=*OU=T*)" dn distinguishedName
# returned 0 records
# 0 entries
# 0 referrals
-- 
Thanks, Franta Hanzlik