samba - Sep 2025 - sAMAccountType is any special attribute for ldbsearch?

On Fri, 19 Sep 2025 00:04:52 +0200
Franta Hanzl?k via samba <samba at lists.samba.org>
wrote:
>
> Rowland very thanks about using samba/private/sam.ldb !
> I found some info here:
>   https://lists.samba.org/archive/samba/2015-February/189634.html
>      (content of sam.ldb vs sam.ldb.d/DC=MYDOMAIN,DC=LAN)
> which also suggests something, but it's not stated there as strictly
> as you did.
> 
> But: '(sAMAccountType=805306368)' ldbsearch filter on
> samba/private/sam.ldb is now working, but filter for
> distinguishedName IMO not:
> 
> 1) only distinguishedName attribute presence required return 266
> records: # DONT_EXPIRE_PASSWORD=$((0x10000)); ldbsearch --controls
> "search_options:0:1" -H /var/lib/samba/private/sam.ldb
>
"(&(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=$DONT_EXPIRE_PASSWORD))(distinguishedName=*))"
> dn distinguishedName|tail -n 11 # record 265 dn:
> CN=johanikova_n,OU=Z,DC=zamecek,DC=home distinguishedName:
> CN=johanikova_n,OU=Z,DC=zamecek,DC=home
> 
> # record 266
> dn: CN=pavlikova_t,OU=Z,DC=zamecek,DC=home
> distinguishedName: CN=pavlikova_t,OU=Z,DC=zamecek,DC=home
> 
> # returned 266 records    <---- 266 records for "any"
> distinguishedName # 266 entries
> # 0 referrals
> 
> 2) filter for substring "OU=Z" in distinguishedName return
nothing
>   (although from previous request these records exists) :
> # DONT_EXPIRE_PASSWORD=$((0x10000)); ldbsearch --controls
> "search_options:0:1" -H /var/lib/samba/private/sam.ldb
>
"(&(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=$DONT_EXPIRE_PASSWORD))(distinguishedName=*OU=Z*))"
> dn distinguishedName|tail -n 11 # returned 0 records # 0 entries # 0
> referrals
> 
> Can this be explained somehow?
Oh yes, in AD, the 'distinguishedName' attribute is what is known as a
constructed attribute, that is, it doesn't actually exist, it is
'constructed' from other data, if you really must use it in a search
filter, you must supply the entire path e.g. distinguishedName=CN=Some
User,OU=SomeOU,DC=samdom,DC=example,DC=com
Also seeing as the 'dn' is always the same as the
'distinguishedName'
and will always be returned, there is no point in asking for it the
list of required attributes, unless you just want the dn and nothing
else.
> 
> Also - has ldbsearch any ekvivalent for ldapsearch "ldif_wrap"
> (specifically "ldif_wrap=no") option?
You can use '--show-binary' for that.
> 
> More generally: ldbsearch (other ldb*** utilities also) has -o 
> and --controls switches, but they are documented somewhere?
I have never used the '-o' option and the '--controls' switch is
another option I do not use often, so I am unaware of any other Samba
documentation other than:

https://wiki.samba.org/index.php/LDB

Though a lot of the Microsoft documentation is relevant.

I should also point out that you may find the '--cross-ncs' switch
useful, it allows access to the different 'NCs' e.g. the schema etc.

You can search from domain joined machines using the machines kerberos
ticket (sort of like anonymous access) by using the '-P' switch.

There are also some attributes that are hidden and must be explicitly
asked for e.g. unicodePwd

Rowland

On Fri, 19 Sep 2025 10:08:42 +0100
Rowland Penny via samba <samba at lists.samba.org> wrote:
> On Fri, 19 Sep 2025 00:04:52 +0200
> Franta Hanzl?k via samba <samba at lists.samba.org> wrote:
> >
> > Rowland very thanks about using samba/private/sam.ldb !
> > I found some info here:
> >   https://lists.samba.org/archive/samba/2015-February/189634.html
> >      (content of sam.ldb vs sam.ldb.d/DC=MYDOMAIN,DC=LAN)
> > which also suggests something, but it's not stated there as
strictly
> > as you did.
> > 
> > But: '(sAMAccountType=805306368)' ldbsearch filter on
> > samba/private/sam.ldb is now working, but filter for
> > distinguishedName IMO not:
> > 
> > 1) only distinguishedName attribute presence required return 266
> > records: # DONT_EXPIRE_PASSWORD=$((0x10000)); ldbsearch --controls
> > "search_options:0:1" -H /var/lib/samba/private/sam.ldb
> >
"(&(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=$DONT_EXPIRE_PASSWORD))(distinguishedName=*))"
> > dn distinguishedName|tail -n 11 # record 265 dn:
> > CN=johanikova_n,OU=Z,DC=zamecek,DC=home distinguishedName:
> > CN=johanikova_n,OU=Z,DC=zamecek,DC=home
> > 
> > # record 266
> > dn: CN=pavlikova_t,OU=Z,DC=zamecek,DC=home
> > distinguishedName: CN=pavlikova_t,OU=Z,DC=zamecek,DC=home
> > 
> > # returned 266 records    <---- 266 records for "any"
> > distinguishedName # 266 entries
> > # 0 referrals
> > 
> > 2) filter for substring "OU=Z" in distinguishedName return
nothing
> >   (although from previous request these records exists) :
> > # DONT_EXPIRE_PASSWORD=$((0x10000)); ldbsearch --controls
> > "search_options:0:1" -H /var/lib/samba/private/sam.ldb
> >
"(&(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=$DONT_EXPIRE_PASSWORD))(distinguishedName=*OU=Z*))"
> > dn distinguishedName|tail -n 11 # returned 0 records # 0 entries # 0
> > referrals
> > 
> > Can this be explained somehow?  
> 
> Oh yes, in AD, the 'distinguishedName' attribute is what is known
as a
> constructed attribute, that is, it doesn't actually exist, it is
> 'constructed' from other data, if you really must use it in a
search
> filter, you must supply the entire path e.g. distinguishedName=CN=Some
> User,OU=SomeOU,DC=samdom,DC=example,DC=com
Rowland, thanks for the explanation. I thought that distinguishedName 
(which has the same value as DN) was created precisely because DN 
cannot be used in LDAP filter - and that all operators (including 
substring) can be applied to distinguishedName without restrictions.
It's a shame it's different.
But maybe it depends on the implementation in MS AD and/or in 
Samba/ldb-tools. 
> Also seeing as the 'dn' is always the same as the
'distinguishedName'
> and will always be returned, there is no point in asking for it the
> list of required attributes, unless you just want the dn and nothing
> else.
There is one small difference: ldbsearch (I didn't try other programs) 
prints DN non-ASCII strings (e.g. with diacritics) as UTF-8 strings, 
but distinguishedName as ':: base-64 encoding'.

> > 
> > Also - has ldbsearch any ekvivalent for ldapsearch
"ldif_wrap"
> > (specifically "ldif_wrap=no") option?  
> 
> You can use '--show-binary' for that.
> 
> > 
> > More generally: ldbsearch (other ldb*** utilities also) has -o 
> > and --controls switches, but they are documented somewhere?  
> 
> I have never used the '-o' option and the '--controls'
switch is
> another option I do not use often, so I am unaware of any other Samba
> documentation other than:
> 
> https://wiki.samba.org/index.php/LDB
Lot of interesting things...
> Though a lot of the Microsoft documentation is relevant.
> 
> I should also point out that you may find the '--cross-ncs' switch
> useful, it allows access to the different 'NCs' e.g. the schema
etc.
Hm, I noticed this switch, but until now I had no idea what NC was 
and what it was supposed to be good for. Naming Context ?
I hope I will need it in the higher grades of my Samba knowledge... ;)
> You can search from domain joined machines using the machines kerberos
> ticket (sort of like anonymous access) by using the '-P' switch.
> 
> There are also some attributes that are hidden and must be explicitly
> asked for e.g. unicodePwd
> 
> Rowland
> -- 


-- 

Franti?ek Hanzl?k