similar to: LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?

Op 05-11-2023 om 23:25 schreef Jonathan Hunter via samba: > I'm quite confused by this one, as I can't see how this would happen.. > but after upgrading my DCs from 4.11.10 to 4.18.5, LDAP searches don't > seem to work if they use the :1.2.840.113556.1.4.1941: modifier, aka > LDAP_MATCHING_RULE_IN_CHAIN. (Yes, it was a fairly big version jump.. > Yes, I should have

We had to do a few changes in this area (due to security issues) over that large number of releases, it is entirely possible there was a regression. If you have time and patience, could you back up your DC, restore into a subdirectory (on your DC or on a test box) with 4.11.10 from git, and then do a git bisect between that and 4.18.5. You can run the query locally with bin/ldbsearch -H

Thank you Kees. On Mon, 6 Nov 2023 at 09:37, Kees van Vloten via samba <samba at lists.samba.org> wrote: > I am currently running at 4.19.2 but I have run 4.18.6 and 4.18.5. I did > not experience any issues with nested group lookups, which many of the > filters rely on. Interestingly, I've now found that (on my current DCs, running 4.18.5), ldbsearch *does* seem to return the

On Mon, 6 Nov 2023 at 14:32, Kees van Vloten <keesvanvloten at gmail.com> wrote: > > > Op 06-11-2023 om 14:58 schreef Jonathan Hunter: > > Interestingly, I've now found that (on my current DCs, running > > 4.18.5), ldbsearch *does* seem to return the expected result, but the > > same query via ldapsearch does not. > > What if you try to use starttls

Op 06-11-2023 om 14:58 schreef Jonathan Hunter: > Thank you Kees. > > On Mon, 6 Nov 2023 at 09:37, Kees van Vloten via samba > <samba at lists.samba.org> wrote: >> I am currently running at 4.19.2 but I have run 4.18.6 and 4.18.5. I did >> not experience any issues with nested group lookups, which many of the >> filters rely on. > Interestingly, I've now

Op 06-11-2023 om 15:40 schreef Jonathan Hunter: > On Mon, 6 Nov 2023 at 14:32, Kees van Vloten <keesvanvloten at gmail.com> wrote: >> >> Op 06-11-2023 om 14:58 schreef Jonathan Hunter: >>> Interestingly, I've now found that (on my current DCs, running >>> 4.18.5), ldbsearch *does* seem to return the expected result, but the >>> same query via

Thank you Andrew for the quick reply - much appreciated. Yes, I'll get on to this - I am certainly motivated to find out what's happening here. It is likely to take a few days but I'll post my findings. I'll look at setting up git bisect today, it should be possible for me to script it so that it will run by itself as I understand it, as I should be able to check the return value

On Wed, 2023-11-22 at 17:33 +0000, Jonathan Hunter wrote: > On Wed, 22 Nov 2023 at 01:03, Andrew Bartlett < > abartlet at samba.org > > wrote: > > Are you sure that the ACLs on all the items in the chain should > > allow reading? > > It's an excellent question, thank you - I'd like to just say "Yes" > but > I will certainly check, as

I'm guessing that this is just not implemented yet: http://msdn.microsoft.com/en-us/library/aa746475%28VS.85%29.aspx Specifically, the LDAP_MATCHING_RULE_IN_CHAIN search modifier. I'm trying to do a group membership search via LDAP that traverses subgroups. Against Windows AD I'd use: (memberof:1.2.840.113556.1.4.1941:=(cn=Group1,OU=groupsOU,DC=x)) But that doesn't work against

Thank you Andrew and Rowland. (Rowland - I tried 'samba-tool dsacl get', thank you! but found the output hard to decipher so I used ldp.exe on Windows instead in the end) On Wed, 22 Nov 2023 at 20:22, Andrew Bartlett <abartlet at samba.org> wrote: > > On Wed, 2023-11-22 at 17:33 +0000, Jonathan Hunter wrote: > > Are permissions checked in a hiearchical fashion, i.e. if

Hi Jonathan and Andrew, > Reminder of my original LDAP query: > (& > (objectCategory=Person) > (sAMAccountName=*) > (memberOf:1.2.840.113556.1.4.1941:=CN=mygroup,OU=myou,DC=mydomain,DC=org) > ) I came across the same/similar issue yesterday and found the origin that triggered the issue (at least in my case). I've added a response to your bugzilla entry

On 16/09/2020 17:34, Marco Shmerykowsky via samba wrote: > I followed the instructions on the OpenVPN site for creating > the bind user: > > https://openvpn.net/vpn-server-resources/openvpn-access-server-on-active-directory-via-ldap/#Create_and_configure_a_bind_user > OK after reading the supplied link, I think I see where the miss-understanding is coming from. Under the heading

On 21/08/2020 21:40, vincent at cojot.name wrote: > On Fri, 21 Aug 2020, Rowland penny via samba wrote: > >> This works for me: >> >> rowland at devstation:~$ sudo ldapsearch -H >> ldaps://dc01.samdom.example.com -D 'SAMDOM\Administrator' -w >> 'xxxxxxxxxx' -b 'dc=samdom,dc=example,dc=com' >>

On 21/08/2020 20:08, Rowland penny via samba wrote: > On 21/08/2020 19:28, Vincent S. Cojot via samba wrote: >> >> Hi everyone, >> >> I have a working Samba AD/DC (4.12.6 on RHEL7.8) setup I'm trying to >> use with OpenShift (a container platform to which RedHat contributes >> - aka OCP). I'm also not too skilled on LDAP even though I've been

Hi everyone, I have a working Samba AD/DC (4.12.6 on RHEL7.8) setup I'm trying to use with OpenShift (a container platform to which RedHat contributes - aka OCP). I'm also not too skilled on LDAP even though I've been running the above for over two years now.. There are typically two steps involved in connecting AD to OCP: 1) declare an OAuth configuration in OCP (requires a bind

I can share my notes, we authenticate UniFi clients via Freeradius against Samba AD. We also check group membership which you might or might not need: ## 4 FreeRADIUS ### 4.1 Basics ```bash apt install freeradius freeradius-ldap freeradius-utils # create new DH-params openssl dhparam -out /etc/freeradius/3.0/certs/dh 2048 ``` ### 4.2 Configure Authentication - modify mschap to use winbind,

I'm looking for a way to batch create a list of computers accounts in Active directroy running on Windows 2000 PDC. I tried to use perl ldap to create those objects but I didn't manage to set the sAMAccountType to "805306369" ( apparently this is a read only auto generated value) Is there any way to do that under Linux ? Thanks, Thomas #! /usr/bin/perl use strict; use

Hello Tim, Hello samba-people, is there an uptodate guide for authenticating via freeradius somewhere? I have some Ubiquiti APs plus a Cloud Key and I want to authenticate WLAN clients via WPA2-Enterprise instead of a (shared) PSK. It seems like https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory is missing some steps (basic setup of freeradius). Can you

Hey guys, We can perform this LDAP query against Windows Server 2012 no problem, but against samba it's failing: (&(sAMAccountName={0})(memberOf:1.2.840.113556.1.4.1941:=CN=graylog_users,OU=Applications,OU=Groups,DC=ad,DC=corp,DC=xxx,DC=com)) Is that "nested group" tree control (memberOf:1.2.840.113556.1.4.1941:) supported? If not, is there a better way to design this ldap

Hi Alexander, I'm terribly sorry. We didnt have the "ntlm auth" parameter configured on the DCs at all. I added it and it just works. Thanks for your help. Now I just need to figure out how I can make WLAN-specific LDAP-Group authentication. e. g. production WLAN needs LDAP group "wlan_production" and management WLAN needs the "wlan_management" group. I