similar to: Support for LDAP_MATCHING_RULE_IN_CHAIN in LDAP queries

I'm quite confused by this one, as I can't see how this would happen.. but after upgrading my DCs from 4.11.10 to 4.18.5, LDAP searches don't seem to work if they use the :1.2.840.113556.1.4.1941: modifier, aka LDAP_MATCHING_RULE_IN_CHAIN. (Yes, it was a fairly big version jump.. Yes, I should have upgraded much earlier.. Yes, I know 4.19.x is out now as well) Here's a search that

We had to do a few changes in this area (due to security issues) over that large number of releases, it is entirely possible there was a regression. If you have time and patience, could you back up your DC, restore into a subdirectory (on your DC or on a test box) with 4.11.10 from git, and then do a git bisect between that and 4.18.5. You can run the query locally with bin/ldbsearch -H

Op 05-11-2023 om 23:25 schreef Jonathan Hunter via samba: > I'm quite confused by this one, as I can't see how this would happen.. > but after upgrading my DCs from 4.11.10 to 4.18.5, LDAP searches don't > seem to work if they use the :1.2.840.113556.1.4.1941: modifier, aka > LDAP_MATCHING_RULE_IN_CHAIN. (Yes, it was a fairly big version jump.. > Yes, I should have

Hi Jonathan and Andrew, > Reminder of my original LDAP query: > (& > (objectCategory=Person) > (sAMAccountName=*) > (memberOf:1.2.840.113556.1.4.1941:=CN=mygroup,OU=myou,DC=mydomain,DC=org) > ) I came across the same/similar issue yesterday and found the origin that triggered the issue (at least in my case). I've added a response to your bugzilla entry

Thank you Andrew for the quick reply - much appreciated. Yes, I'll get on to this - I am certainly motivated to find out what's happening here. It is likely to take a few days but I'll post my findings. I'll look at setting up git bisect today, it should be possible for me to script it so that it will run by itself as I understand it, as I should be able to check the return value

Thank you Kees. On Mon, 6 Nov 2023 at 09:37, Kees van Vloten via samba <samba at lists.samba.org> wrote: > I am currently running at 4.19.2 but I have run 4.18.6 and 4.18.5. I did > not experience any issues with nested group lookups, which many of the > filters rely on. Interestingly, I've now found that (on my current DCs, running 4.18.5), ldbsearch *does* seem to return the

On Mon, 6 Nov 2023 at 14:32, Kees van Vloten <keesvanvloten at gmail.com> wrote: > > > Op 06-11-2023 om 14:58 schreef Jonathan Hunter: > > Interestingly, I've now found that (on my current DCs, running > > 4.18.5), ldbsearch *does* seem to return the expected result, but the > > same query via ldapsearch does not. > > What if you try to use starttls

Op 06-11-2023 om 14:58 schreef Jonathan Hunter: > Thank you Kees. > > On Mon, 6 Nov 2023 at 09:37, Kees van Vloten via samba > <samba at lists.samba.org> wrote: >> I am currently running at 4.19.2 but I have run 4.18.6 and 4.18.5. I did >> not experience any issues with nested group lookups, which many of the >> filters rely on. > Interestingly, I've now

Hi all, I've compiled 3.0.7 on a test box which also has an LDAP server running on it. This is the first time for me trying to use Samba with LDAP. I copied the IdealX scripts into /usr/local/sbin and edited the _config.pm file. It is attached at the bottom, stripped of comments. I then edited my smb.conf to the effect of the following: passdb backend = ldapsam:ldap://localhost ldap

Thank you Andrew and Rowland. (Rowland - I tried 'samba-tool dsacl get', thank you! but found the output hard to decipher so I used ldp.exe on Windows instead in the end) On Wed, 22 Nov 2023 at 20:22, Andrew Bartlett <abartlet at samba.org> wrote: > > On Wed, 2023-11-22 at 17:33 +0000, Jonathan Hunter wrote: > > Are permissions checked in a hiearchical fashion, i.e. if

Samba 3.0.0 - RH AS 3 # ./smbldap-groupshow.pl Computers No such object at /usr/local/sbin//smbldap_tools.pm line 590, <DATA> line 283. # ./smbldap-usershow.pl cnassa dn: uid=cnassa,ou=People,o=Mullen,c=US Why can't I get the groups to work correctly, I do have a 'Computers' group? This same problem is causing a bunch of errors when I try to net rpc vampire - it can't

Hi samba admins, I don?t know is this the right place for my question, but I can?t find a list for my problem. I have some trobble to configure the smbldap-tools. I have download and copy the scripts to /usr/local/sbin. But a /usr/local/sbin/smbldap-useradd.pl testuser breaks with this error message: get_user_dn2: error in ldapsearch : /usr/bin/ldapsearch -x -h _SLAVELDAP_ -D '_BINDDN_'

Op 06-11-2023 om 15:40 schreef Jonathan Hunter: > On Mon, 6 Nov 2023 at 14:32, Kees van Vloten <keesvanvloten at gmail.com> wrote: >> >> Op 06-11-2023 om 14:58 schreef Jonathan Hunter: >>> Interestingly, I've now found that (on my current DCs, running >>> 4.18.5), ldbsearch *does* seem to return the expected result, but the >>> same query via

OK, further to my previous message I've configured BIND, but when I try to run samba_dnsupdate I get the following: Nov 18 16:19:23 sles-shire named[6112]: samba b9_putrr: unhandled record type 0 Nov 18 16:19:24 sles-shire named[6112]: samba_dlz: starting transaction on zone _msdcs.main.adlab.netdirect.ca Nov 18 16:19:24 sles-shire named[6112]: samba_dlz: disallowing update of

Is this a problem? Does this mean no replication links exist? michael at sles-bree:~> samba-tool drs showrepl -k yes Bree\SLES-BREE DSA Options: 0x00000025 DSA object GUID: 7ea641b0-d418-4c74-a4fa-c15b852467b8 DSA invocationId: 1017ff29-756c-4777-b395-b481f4b5387c ==== INBOUND NEIGHBORS ==== ==== OUTBOUND NEIGHBORS ==== ==== KCC CONNECTION OBJECTS ==== Connection -- Connection name:

On Wed, 2023-11-22 at 17:33 +0000, Jonathan Hunter wrote: > On Wed, 22 Nov 2023 at 01:03, Andrew Bartlett < > abartlet at samba.org > > wrote: > > Are you sure that the ACLs on all the items in the chain should > > allow reading? > > It's an excellent question, thank you - I'd like to just say "Yes" > but > I will certainly check, as

I was hoping this would be simpler. I'd like to prepopulate an RODC with all users accounts that are permitted. But I can only pre-populate one at a time: samba-tool rodc preload (<SID>|<DN>|<accountname>) sles-shire:~ # samba-tool group listmembers 'Allowed RODC Password Replication Group - Shire' Allowed RODC Password Replication Group - Global WIN7-SHIRE$ bilbo

We've joined an RODC to the domain (Windows 2008R2 running a W2003 FFL/DFL AD) but are getting these errors on first startup. It was joined with: samba-tool domain join main.adlab.netdirect.ca RODC --realm=main.adlab.netdirect.ca --username=administrator at main.adlab.netdirect.ca --dns-backend=BIND9_DLZ but we get these errors right after startup: Nov 28 12:35:27 sles-bree samba[3939]:

I just checked the SOA records on my samba DCs and noticed a few oddities: michael at sles-bree:~> for i in ad{1..4} sles-bree sles-shire; do host -t soa main.adlab.netdirect.ca $i | grep SOA; done main.adlab.netdirect.ca has SOA record ad1.main.adlab.netdirect.ca. hostmaster.main.adlab.netdirect.ca. 177 900 600 86400 3600 main.adlab.netdirect.ca has SOA record ad2.main.adlab.netdirect.ca.

OK! I'm getting farther and farther! :) I've managed to preload user and computer passwords onto a samba RODC: *sles-shire:/var/lib/samba/sysvol # samba-tool rodc preload 'win7-shire$' --server main.adlab.netdirect.ca** *Replicating DN CN=WIN7-SHIRE,CN=Computers,DC=main,DC=adlab,DC=netdirect,DC=ca Exop on[CN=WIN7-SHIRE,CN=Computers,DC=main,DC=adlab,DC=netdirect,DC=ca]