Univention Bugzilla – Bug 56476
Nested membership search in Samba results in Error if one objects children are not readable
Last modified: 2023-08-22 22:15:55 CEST
An ldbsearch using SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL results in LDAP_OPERATIONS_ERROR as soon as the searching user doesn't have the LC(List children) permission for any object in the whole LDAP tree. It doesn't matter which object the user doesn't have access to. It will always result in LDAP_OPERATIONS_ERROR, even if the object has no connection to the object being searched for. It seems like samba is always searching through the whole LDAP tree and aborts if the user doesn't have the permission to list the children of any of the objects. This behavior is observed since commit 0776ce5caed in samba for the security fixes for https://www.samba.org/samba/security/CVE-2023-0614.html. Beforehand, no error was raised. The objects were simply not shown in the result list, if the user didn't have the permissions to see them, which is the behavior I would expect. The error can be reproduced by attaching this rule to any object in the following way: samba-tool dsacl set --sddl='(D;;LC;;;AU)'; --objectdn='CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=jbp25,DC=intranet' And then doing the following search: ldbsearch -H ldaps://p25.jbp25.intranet -Utest%univention memberOf:1.2.840.113556.1.4.1941:=cn=computers,cn=groups,dc=jbp25,dc=intranet member The logs.samba then shows: [2023/08/11 16:30:11.077988, 11, pid=27912, effective(0, 0), real(0, 0), class=ldb] ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug) ldb: ldb_trace_response: DONE error: 32 msg: dsdb_access: Access check failed on CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=jbp25,DC=intranet .... [2023/08/11 16:30:11.078147, 11, pid=27912, effective(0, 0), real(0, 0), class=ldb] ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug) ldb: ldb_trace_response: DONE error: 1 msg: Indexed and full searches both failed! Additionally, we found out that samba searches the whole LDAP when doing this nested search. That's why each nested search results in an Error, even if the object the access is denied to is not even referenced in any object that the searchfilter is looking for.