According to http://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx on a MS AD controller the extended rule 1.2.840.113556.1.4.1941 ("LDAP_MATCHING_RULE_IN_CHAIN") can be used to find transitive group memberships from an Active Directory. This does not work on Samba4 LDB. ldapsearch returns an empty result and ldbsearch returns ldb: unknown extended rule_id 1.2.840.113556.1.4.1941 That means there is currently no possibility to check for nested group memberships with a simple ldap query on Samba 4.
I tested this agains a mixed domain consisting of a samba 4.1 dc and a win 2k8 r2 dc. The win 2k8 correctly answers with all nested groups trying this: ldapsearch -LLL -H ldap://host.name.local -x -D 'DOMAIN\Administrator' -w 'password' -b 'ou=XXX,dc=domain,dc=company,dc=loc' 'member:1.2.840.113556.1.4.1941:=cn=User CN,ou=XXX,dc=domain,dc=company,dc=loc' The Samba 4.1 does not return anything
Having the exact same issue with samba 4.1.11+dfsg-1~bpo70+1 on debian x64.
A fix for this is in Samba git master.
Created attachment 10824 [details] 4.2 patch cherry-picked from master This patch is on the basis that the subunit backport patch series is appropriate for 4.2.
User testing notes here. We applied "4.2 patch cherry-picked from master" on Debian amd64 to sernet-samba-4.2.2 sources and re-built debs. Confirmed that the transitive search worked correctly for a small test case. However, extended testing caused samba to panic when we tested a transitive search with a non-existant group DN in the search. For example, the following works: ldbsearch -H /var/lib/samba/private/sam.ldb -s sub -b \ "dc=ad,dc=example,dc=org" \ '(memberOf:1.2.840.113556.1.4.1941:=CN=Domain Admins,CN=Users,DC=ad,DC=example,DC=org)' However, this causes a panic (note the misspelling of the final domain component): ldbsearch -H /var/lib/samba/private/sam.ldb -s sub -b \ "dc=ad,dc=example,dc=org" \ '(memberOf:1.2.840.113556.1.4.1941:=CN=Domain Admins,CN=Users,DC=ad,DC=example,DC=orgs)' =============================================================== INTERNAL ERROR: Signal 11 in pid 18256 (4.2.2-SerNet-Debian-8.1.jessie) Please read the Trouble-Shooting section of the Samba HOWTO =============================================================== PANIC: internal error We reverted to sernet-4.2.2 without patches, and the search fails but does not cause a panic: ldbsearch -H /var/lib/samba/private/sam.ldb -s sub -b \ "dc=ad,dc=example,dc=org" \ '(memberOf:1.2.840.113556.1.4.1941:=CN=Domain Admins,CN=Users,DC=ad,DC=example,DC=orgs)' \ ldb: unknown extended rule_id 1.2.840.113556.1.4.1941 So we believe the bug is introduced in the patch.
We should probably revert this for 4.3, until someone has the time to fix it. Samuel / Kamen, My view is that we will need a fix and matching tests to keep this in. Do you have any time to look at this?
Metze, What is the right way to flag that we need to deal with this one way or the other for 4.3? Thanks,
Created attachment 11341 [details] Patch to remove this feature from 4.3 Sadly with only a day to go before the last RC of Samba 4.3, we have no choice but to back this out of the release. I'll also submit this to samba-technical. Hopefully I can get Adrian to look at the proper fix for 4.4.
Created attachment 11342 [details] Patch to remove this feature from 4.3 This version has signed-off-by and BUG tags.
Comment on attachment 11342 [details] Patch to remove this feature from 4.3 Pushed to autobuild-v4-3-test
Pushed to v4-3-test
Thanks metze. Re-opening to remember that we want the feature to work in the long term.
The segfault has been found and new tests added, so we may be able to return this to Samba soon.
The patches are now again in master and should be in the 4.4 release.