[Samba] LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?
Andrew Bartlett
abartlet at samba.org
Wed Nov 22 20:22:31 UTC 2023
On Wed, 2023-11-22 at 17:33 +0000, Jonathan Hunter wrote:
> On Wed, 22 Nov 2023 at 01:03, Andrew Bartlett <
> abartlet at samba.org
> > wrote:
> > Are you sure that the ACLs on all the items in the chain should
> > allow reading?
>
> It's an excellent question, thank you - I'd like to just say "Yes"
> but
> I will certainly check, as it's of course possible that my domain was
> misconfigured previously, and the change has in fact introduced
> correct behaviour..
>
> Am I right in thinking that the objects I need to look at are
> - the group itself
> - all (some?) members of the group
> - any others?
The full chain.
> Are permissions checked in a hiearchical fashion, i.e. if OU=myou
> does
> not allow a particular user to read it, then would
> CN=somegroup,OU=myou still be denied regardless of the explicit
> permissions on the CN=somegroup,OU=myou object?
That is what I am getting at. The full chain must be checked.
> And I believe I'm
> correct in thinking that a user can be a member of a group, even
> though that user might not have permission to read the group
> themselves...?
They can be members, when Samba assigns group memberships it does as
'system' via other code, but reading them via this mechanism for an
unprivileged user won't work.
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead https://catalyst.net.nz/services/samba
Catalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company
Samba Development and Support: https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions
More information about the samba
mailing list