There seems to be a problem with LDAP filters and entries that contain escaped characters in their DN. Say I have a user "test" with cn "Us Er+". ldbsearch returns this: root@dev:~# ldbsearch -H /var/lib/samba/private/sam.ldb uid=test dn cn dn: CN=Us Er\+,CN=Users,DC=exam,DC=corp cn: Us Er+ ldapsearch return this: root@dev:~# ldapsearch -x uid=test dn cn dn: cn=Us Er\2B,cn=Users,dc=exam,dc=corp cn: Us Er+ Notice the "\2B" in the returned DN? Now if that user is a member of a group, the group looks like this: root@dev:~# ldbsearch -H /var/lib/samba/private/sam.ldb cn=testgroup cn dn member dn: CN=testgroup,CN=Users,DC=exam,DC=corp cn: testgroup member: CN=Us Er\+,CN=Users,DC=exam,DC=corp root@dev:~# ldapsearch -x cn=testgroup dn cn member dn: cn=testgroup,cn=Users,dc=exam,dc=corp cn: testgroup member: cn=Us Er\2B,cn=Users,dc=exam,dc=corp But, you cannot get that group by searching on the member attribute: root@dev:~# ldbsearch -H /var/lib/samba/private/sam.ldb member="cn=Us Er\2B,cn=Users,dc=exam,dc=corp" (no results) root@dev:~# ldbsearch -H /var/lib/samba/private/sam.ldb member="cn=Us Er\+,cn=Users,dc=exam,dc=corp" allocating request failed: Unable to parse search expression root@dev:~# ldbsearch -H /var/lib/samba/private/sam.ldb member="cn=Us Er+,cn=Users,dc=exam,dc=corp" (no results) root@dev:~# ldapsearch -x 'member=cn=Us Er\2B,cn=Users,dc=exam,dc=corp' (no results) root@dev:~# ldapsearch -x 'member=cn=Us Er\+,cn=Users,dc=exam,dc=corp' ldap_search_ext: Bad search filter (-7) root@dev:~# ldapsearch -x 'member=cn=Us Er+,cn=Users,dc=exam,dc=corp' (No results) The problem with this is that it is not possible in external applications to verify group membership for users with this kind of DN. They do a search with the DN of the entry (cn=Us Er\2B,...) and that search will never return any groups. Binding to the LDAP server with a DN in that form works, so authentication is not a problem. As far as I can see, this happens any time the DN of an entry contains an escaped character, like a '+' or an escaped space at the end of the rdn.
I also tested 4.2.7 and ldb 1.1.24 - same behaviour. If you need any other info, please let me know!
sorry, for the late response. I just tested, that this one works the same way agains MS AD as also on Samba 4.7 AD: ldapsearch -x -h ip-of-ad-dc -D AD\\administrator -w secret -b "CN=Users,DC=ad,DC=test,DC=intern" 'member=CN=bjacke\\+,CN=Users,DC=ad,DC=test,DC=intern'