First Last Prev Next    This bug is not in your last search results.
Bug 56476 - Nested membership search in Samba results in Error if one objects children are not readable
Nested membership search in Samba results in Error if one objects children ar...
Status: NEW
Product: UCS
Classification: Unclassified
Component: Samba
UCS 5.0
Other Linux
: P5 normal (vote)
: ---
Assigned To: Samba maintainers
Samba maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2023-08-22 22:15 CEST by Julia Bremer
Modified: 2023-08-22 22:15 CEST (History)
0 users

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.069
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2023071821000103
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Julia Bremer univentionstaff 2023-08-22 22:15:02 CEST 
An ldbsearch using SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL results in LDAP_OPERATIONS_ERROR as soon as the searching user doesn't have the LC(List children) permission for any object in the whole LDAP tree. 
It doesn't matter which object the user doesn't have access to. It will always result in LDAP_OPERATIONS_ERROR, even if the object has no connection to the object being searched for.
It seems like samba is always searching through the whole LDAP tree and aborts if the user doesn't have the permission to list the children of any of the objects. 


This behavior is observed since commit 0776ce5caed in samba for the security fixes for https://www.samba.org/samba/security/CVE-2023-0614.html.
Beforehand, no error was raised. The objects were simply not shown in the result list, if the user didn't have the permissions to see them, which is the behavior I would expect.

The error can be reproduced by attaching this rule to any object in the following way:
samba-tool dsacl set --sddl='(D;;LC;;;AU)'; --objectdn='CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=jbp25,DC=intranet'

And then doing the following search:

ldbsearch -H ldaps://p25.jbp25.intranet -Utest%univention memberOf:1.2.840.113556.1.4.1941:=cn=computers,cn=groups,dc=jbp25,dc=intranet member

The logs.samba then shows:

[2023/08/11 16:30:11.077988, 11, pid=27912, effective(0, 0), real(0, 0), class=ldb] ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
  ldb: ldb_trace_response: DONE
  error: 32
  msg: dsdb_access: Access check failed on CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=jbp25,DC=intranet
....  
[2023/08/11 16:30:11.078147, 11, pid=27912, effective(0, 0), real(0, 0), class=ldb] ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
  ldb: ldb_trace_response: DONE
  error: 1
  msg: Indexed and full searches both failed!


Additionally, we found out that samba searches the whole LDAP when doing this nested search. That's why each nested search results in an Error, even if the object the access is denied to is not even referenced in any object that the searchfilter is looking for.
First Last Prev Next    This bug is not in your last search results.