[cifs-protocol] DirSync ACLs and Deleted Objects

Andrew Bartlett abartlet at samba.org
Mon Oct 23 21:15:05 UTC 2023 

Hi Dochelp,

MS-ADTS 3.1.1.3.4.1.3 LDAP_SERVER_DIRSYNC_OID
describes LDAP_DIRSYNC_OBJECT_SECURITY as:

Windows Server 2003 operating system and later: If
  this flag is present, the client can only view objects and attributes
  that are otherwise accessible to the client. If this flag is not
present, the
  server checks if the client has access rights to read the changes in
the NC.

  Windows 2000 operating system: Not supported.


However, there is an exception.  Objects that are deleted are returned,
despite the ACL on CN=Deleted objects.  They are stripped of most
information, but a filter attack (eg search for CN=a*) can be used to
discover the values - an object is returned nor not - showing that the
objects are readable in that context. 

MSRC has just closed my case (82978) as it was determined this issue
doesn't cross any MSRC recognized security boundaries.

However, neither is this documented.  There is nothing in the above
reference nor in MS-DRSR 5.115.3 ProcessDirSyncSearchRequest that
explains how ACLs are applied to DirSync in the normal case, nor the
apparent exception for CN=Deleted Objects.  

The reason I say 'apparent exception' is that, if the ACL that blocks
'list children' on CN=Deleted Objects were honoured, then:

bin/ldbsearch -H ldap://192.168.122.230 -Uandrew%password ou=spy2\*
--
controls=dirsync:1:1:0
Can't load /usr/local/samba/etc/smb.conf - run
testparm to debug it

# record 1
dn:
objectGUID: 0ae90a39-9fbe-4a77-8651-abefa1f1eace
isDeleted: TRUE
isRecycled: TRUE

Should not be able to return anything, and shouldn't indicate that an
object known previously as spy2 existed. 

>From testing, it appears that only this special DN is excluded - if we
have an object that is hidden because the parent denies 'List
Children', then these don't show up.  So, if we are going to get our
DirSync behaviour more consistent, we would like to be sure of exactly
what the rules are here.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions

More information about the cifs-protocol mailing list