Ldap queries for group flattening shows
result: 1 Operations error, text: 00002020: Indexed and full searches both failed!
ucs:~# ldapsearch -ZZ -H ldap://ucs.schein.ig -b dc=schein,dc=ig -x -D cn=auth-proxmox,cn=systemusers,cn=schein,cn=users,dc=schein,dc=ig -w password memberOf:1.2.840.1135188.8.131.521:=cn=service-pve-foo,cn=servicegroups,cn=Groups,dc=schein,dc=ig member # search result search: 3 result: 1 Operations error text: 00002020: Indexed and full searches both failed!
It seems that the user’s read authorization in Samba is too restricted. In particular, he lacks the right to see some group policy objects.
Group policy objects also appear to be necessary to determine the recursive group memberships
This is a bug in samba, which is a consequence of the security update Security and bugfix errata for Univention Corporate Server .
When evaluating the ACLs, everything is run through and when it detects that it is not allowed to read something, regardless of whether it should be interested in it or not, it exits with an error.
The Workaround is to set the
List Children permission (for authenticated users) on all GPOs again.