samba - Sep 2025 - sAMAccountType is any special attribute for ldbsearch?

On Thu, 18 Sep 2025 08:28:29 +0100
Rowland Penny via samba <samba at lists.samba.org> wrote:
> On Thu, 18 Sep 2025 06:17:39 +0200
> Franta Hanzl?k via samba <samba at lists.samba.org> wrote:
> 
> > On Thu, 18 Sep 2025 01:34:58 +0200
> > Franta Hanzl?k via samba <samba at lists.samba.org> wrote:
> >   
> > > [...]
> > > Now I've come across an interesting mystery that I can't
explain:
> > > I wanted to use ldbsearch to list user accounts by specifying the
> > > LDAP filter sAMAccountType == SAM_USER_OBJECT (=0x30000000 >
> > 805306368). And I don't understand the behavior of ldbsearch and I
> > > don't know how to explain and fix it. My attempts and
results:
> > > 
> > > 1)
> > > # ldbsearch -H
> > > /var/lib/samba/private/sam.ldb.d/DC\=ZAMECEK\,DC\=HOME.ldb
> > > "(sAMAccountType=805306368)" dn sAMAccountType #
returned 0 records
> > > # 0 entries # 0 referrals
> > > 
> > > Why the hell doesn't it work? And - this is interesting:
> > > [...]
> > > --   
> > 
> > Did I miss something in the LDAP/LDB filter syntax?
> > This example also returns no data, even though there are a number of 
> > records with distinguishedName matching pattern *,OU=T,DC=zamecek,DC=*
> > 
> > ldbsearch -H
> > /var/lib/samba/private/sam.ldb.d/DC\=ZAMECEK\,DC\=HOME.ldb
> > "(distinguishedName=*OU=T*)" dn distinguishedName # returned
0
> > records # 0 entries # 0 referrals  
> 
> It probably isn't working because you are searching in the wrong place.
> Never search in the files in the sam.ldb.d directory and definitely
> never alter any of the files in that directory.
> 
> Try your original search like this:
> 
> sudo ldbsearch -H /var/lib/samba/private/sam.ldb
> "(sAMAccountType=805306368)" dn sAMAccountType
> 
> Just search and alter the sam.ldb file.
> 
> Rowland
> -- 
Rowland very thanks about using samba/private/sam.ldb !
I found some info here:
  https://lists.samba.org/archive/samba/2015-February/189634.html
     (content of sam.ldb vs sam.ldb.d/DC=MYDOMAIN,DC=LAN)
which also suggests something, but it's not stated there as strictly
as you did.

But: '(sAMAccountType=805306368)' ldbsearch filter on
samba/private/sam.ldb
is now working, but filter for distinguishedName IMO not:

1) only distinguishedName attribute presence required return 266 records:
# DONT_EXPIRE_PASSWORD=$((0x10000)); ldbsearch --controls
"search_options:0:1" -H /var/lib/samba/private/sam.ldb
"(&(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=$DONT_EXPIRE_PASSWORD))(distinguishedName=*))"
dn distinguishedName|tail -n 11
# record 265
dn: CN=johanikova_n,OU=Z,DC=zamecek,DC=home
distinguishedName: CN=johanikova_n,OU=Z,DC=zamecek,DC=home

# record 266
dn: CN=pavlikova_t,OU=Z,DC=zamecek,DC=home
distinguishedName: CN=pavlikova_t,OU=Z,DC=zamecek,DC=home

# returned 266 records    <---- 266 records for "any"
distinguishedName
# 266 entries
# 0 referrals

2) filter for substring "OU=Z" in distinguishedName return nothing 
  (although from previous request these records exists) :
# DONT_EXPIRE_PASSWORD=$((0x10000)); ldbsearch --controls
"search_options:0:1" -H /var/lib/samba/private/sam.ldb
"(&(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=$DONT_EXPIRE_PASSWORD))(distinguishedName=*OU=Z*))"
dn distinguishedName|tail -n 11
# returned 0 records
# 0 entries
# 0 referrals

Can this be explained somehow?

Also - has ldbsearch any ekvivalent for ldapsearch "ldif_wrap"
(specifically "ldif_wrap=no") option?

More generally: ldbsearch (other ldb*** utilities also) has -o 
and --controls switches, but they are documented somewhere?
-- 
Thanks again, excuse for my maybe unimportant questions. Franta Hanzl?k

On Fri, 19 Sep 2025 00:04:52 +0200
Franta Hanzl?k via samba <samba at lists.samba.org>
wrote:
>
> Rowland very thanks about using samba/private/sam.ldb !
> I found some info here:
>   https://lists.samba.org/archive/samba/2015-February/189634.html
>      (content of sam.ldb vs sam.ldb.d/DC=MYDOMAIN,DC=LAN)
> which also suggests something, but it's not stated there as strictly
> as you did.
> 
> But: '(sAMAccountType=805306368)' ldbsearch filter on
> samba/private/sam.ldb is now working, but filter for
> distinguishedName IMO not:
> 
> 1) only distinguishedName attribute presence required return 266
> records: # DONT_EXPIRE_PASSWORD=$((0x10000)); ldbsearch --controls
> "search_options:0:1" -H /var/lib/samba/private/sam.ldb
>
"(&(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=$DONT_EXPIRE_PASSWORD))(distinguishedName=*))"
> dn distinguishedName|tail -n 11 # record 265 dn:
> CN=johanikova_n,OU=Z,DC=zamecek,DC=home distinguishedName:
> CN=johanikova_n,OU=Z,DC=zamecek,DC=home
> 
> # record 266
> dn: CN=pavlikova_t,OU=Z,DC=zamecek,DC=home
> distinguishedName: CN=pavlikova_t,OU=Z,DC=zamecek,DC=home
> 
> # returned 266 records    <---- 266 records for "any"
> distinguishedName # 266 entries
> # 0 referrals
> 
> 2) filter for substring "OU=Z" in distinguishedName return
nothing
>   (although from previous request these records exists) :
> # DONT_EXPIRE_PASSWORD=$((0x10000)); ldbsearch --controls
> "search_options:0:1" -H /var/lib/samba/private/sam.ldb
>
"(&(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=$DONT_EXPIRE_PASSWORD))(distinguishedName=*OU=Z*))"
> dn distinguishedName|tail -n 11 # returned 0 records # 0 entries # 0
> referrals
> 
> Can this be explained somehow?
Oh yes, in AD, the 'distinguishedName' attribute is what is known as a
constructed attribute, that is, it doesn't actually exist, it is
'constructed' from other data, if you really must use it in a search
filter, you must supply the entire path e.g. distinguishedName=CN=Some
User,OU=SomeOU,DC=samdom,DC=example,DC=com
Also seeing as the 'dn' is always the same as the
'distinguishedName'
and will always be returned, there is no point in asking for it the
list of required attributes, unless you just want the dn and nothing
else.
> 
> Also - has ldbsearch any ekvivalent for ldapsearch "ldif_wrap"
> (specifically "ldif_wrap=no") option?
You can use '--show-binary' for that.
> 
> More generally: ldbsearch (other ldb*** utilities also) has -o 
> and --controls switches, but they are documented somewhere?
I have never used the '-o' option and the '--controls' switch is
another option I do not use often, so I am unaware of any other Samba
documentation other than:

https://wiki.samba.org/index.php/LDB

Though a lot of the Microsoft documentation is relevant.

I should also point out that you may find the '--cross-ncs' switch
useful, it allows access to the different 'NCs' e.g. the schema etc.

You can search from domain joined machines using the machines kerberos
ticket (sort of like anonymous access) by using the '-P' switch.

There are also some attributes that are hidden and must be explicitly
asked for e.g. unicodePwd

Rowland