[cifs-protocol] DirSync ACLs and Deleted Objects - TrackingID#2310230040015878
Obaid Farooqi
obaidf at microsoft.com
Fri Oct 27 19:29:09 UTC 2023
Hi Andrew:
I'll help you with this issue.
I need a little clarification. I did not understand what you have in the following sentence between dashes:
"They are stripped of most information, but a filter attack (eg search for CN=a*) can be used to discover the values - an object is returned nor not - showing that the objects are readable in that context."
Do you mean "whether an object is returned or not"?
Regards,
Obaid Farooqi
Escalation Engineer | Microsoft
-----Original Message-----
From: Obaid Farooqi
Sent: Monday, October 23, 2023 5:18 PM
To: Andrew Bartlett <abartlet at samba.org>
Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>; Microsoft Support <supportmail at microsoft.com>
Subject: DirSync ACLs and Deleted Objects - TrackingID#2310230040015878
Hi Andrew:
Thanks for contacting Microsoft. I have created a case to track this issue. A member of the open specifications team will be in touch soon.
Regards,
Obaid Farooqi
Escalation Engineer | Microsoft
-----Original Message-----
From: Andrew Bartlett <abartlet at samba.org>
Sent: Monday, October 23, 2023 4:15 PM
To: cifs-protocol mailing list <cifs-protocol at lists.samba.org>; Interoperability Documentation Help <dochelp at microsoft.com>
Subject: [EXTERNAL] DirSync ACLs and Deleted Objects
Hi Dochelp,
MS-ADTS 3.1.1.3.4.1.3 LDAP_SERVER_DIRSYNC_OID describes LDAP_DIRSYNC_OBJECT_SECURITY as:
Windows Server 2003 operating system and later: If
this flag is present, the client can only view objects and attributes
that are otherwise accessible to the client. If this flag is not present, the
server checks if the client has access rights to read the changes in the NC.
Windows 2000 operating system: Not supported.
However, there is an exception. Objects that are deleted are returned, despite the ACL on CN=Deleted objects. They are stripped of most information, but a filter attack (eg search for CN=a*) can be used to discover the values - an object is returned nor not - showing that the objects are readable in that context.
MSRC has just closed my case (82978) as it was determined this issue doesn't cross any MSRC recognized security boundaries.
However, neither is this documented. There is nothing in the above reference nor in MS-DRSR 5.115.3 ProcessDirSyncSearchRequest that explains how ACLs are applied to DirSync in the normal case, nor the apparent exception for CN=Deleted Objects.
The reason I say 'apparent exception' is that, if the ACL that blocks 'list children' on CN=Deleted Objects were honoured, then:
bin/ldbsearch -H ldap://192.168.122.230 -Uandrew%password ou=spy2\*
--
controls=dirsync:1:1:0
Can't load /usr/local/samba/etc/smb.conf - run testparm to debug it
# record 1
dn:
objectGUID: 0ae90a39-9fbe-4a77-8651-abefa1f1eace
isDeleted: TRUE
isRecycled: TRUE
Should not be able to return anything, and shouldn't indicate that an object known previously as spy2 existed.
>From testing, it appears that only this special DN is excluded - if we have an object that is hidden because the parent denies 'List Children', then these don't show up. So, if we are going to get our DirSync behaviour more consistent, we would like to be sure of exactly what the rules are here.
Thanks,
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org/
Samba Team Lead https://catalyst.net.nz/services/samba
Catalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company
Samba Development and Support: https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions
More information about the cifs-protocol
mailing list