[Samba] [PATCH] Re: Samba 4.1.17 classic update w/LDAP - parsing error

Rowland Penny rowlandpenny241155 at gmail.com
Thu Sep 24 08:54:37 UTC 2015

On 24/09/15 09:38, Andrew Bartlett wrote:
> On Thu, 2015-09-24 at 08:46 +0100, Rowland Penny wrote:
>> It would seem that by allowing ',' & '=' in the 'CN' you are also
>> going
>> to allow it in the 'sAMAccountName', where according to microsoft it
>> isn't allowed.
> Very interesting.  It seems we have two bugs, because those checks
> belong in the samldb layer, not in upgrade.py (except as a more helpful
> wrapper).  Sadly such checks are not currently preformed.  Would you
> like to make a patch?

Well, no I wouldn't like to make a patch, because if I do make a patch 
it will be to check if the group name contains any invalid characters 
and any such patch would mean your patch wouldn't be needed.

I suggest that something is put on the classicupgrade wiki page to 
inform users that you cannot have group names (and I believe other 
object names) that contain " / \ [ ] : ; | = , + * ? <>

> Regardless we should not put user data directly into LDB DNs or filters
> without escaping, here or anywhere else (and fixing it here helps set
> the pattern for code copied elsewhere in Samba, which happens a lot).
> Thanks,
> Andrew Bartlett

More information about the samba mailing list