[Samba] Ldapsearch against Samba AD returns records outside the search base

Sat Feb 1 19:20:04 UTC 2020

On Fri, 2020-01-31 at 15:50 +0200, Palle Kuling via samba wrote:
> Hi,
> 
> I noticed the following problem with records returned outside the search 
> base when the query is run against a Samba DC, but when the same query 
> is run against a Windows 2008 or 2012 DC it does not happen. I'm pretty 
> sure it worked correctly in the past. I updated from Samba 4.9.4 to 
> 4.11.4 in December, but I noticed it only today, and I no longer have a 
> backup of the old installation to verify. I tried building versions 
> 4.11.5 and 4.11.6 against the same database, but they all behave in the 
> same way. Am I missing some config option, or is it a bug? 

Something as fundamental as this can't be configured, this is a
worrying bug.

> These kinds 
> of queries are used to check if an account exists in a certain OU, so I 
> would not want the DC:s to behave differently for the same query.

Indeed.

> This is how it looks when I run a query (I redacted the domain and 
> account names a bit):
> 
> ldapsearch -D username at internal.xxx.yy -w password -H ldaps://<samba DC> 
> -s one -b ou=business,dc=internal,dc=xxx,dc=yy samaccountname=testadmin
> # extended LDIF
> #
> # LDAPv3
> # base <ou=business,dc=internal,dc=xxx,dc=yy> with scope oneLevel
> # filter: samaccountname=testadmin
> # requesting: ALL
> #

This is a worry.  Can you file a bug?  I've sent you an invite to our
bugzilla.  It seems we have an issue here applying the 'onelevel'
restriction.

There have been some pretty major changes (which allowed Samba's AD DC
to grow to the scale and performance it now has) between 4.9 and 4.11,
and I'm very keen to learn as much as possible about this bug.

To be clear, I consider this a very serious regression, you absoultly
should expect Samba to honour the LDAP specification and match Windows
AD behaviour!

That you can reproduce it with ldapsearch is awesome.  Does it
reproduct with ldbsearch?  Please run it like this:

ldbsearch -H ldaps://<samba DC> -s one -b
ou=business,dc=internal,dc=xxx,dc=yy samaccountname=testadmin -U$USER

ldbsearch -H ldb://usr/local/samba/private/sam.ldb -s one -b
ou=business,dc=internal,dc=xxx,dc=yy samaccountname=testadmin -U$USER

I ask this not to discount your bug, just to isolate layers.  I notice
in your thread with Rowland then you did a search against the backend
DB which behaved correctly.  That is useful information, as the 'AD'
semantics are invoked one layer up from there, on sam.ldb.

Finally, does it happen if you join a new DC to the domain, or only on
your upgraded DC?

If it does happen on a joined DC, and you can create a new lab domain
and reproduce it there it would be awesome, and give us a safe place to
test more theories:

https://wiki.samba.org/index.php/Create_a_samba_lab-domain

In particular, if you could join older versions of Samba to that lab
domain, and perform a bisect to find where this was broken, this would
be awesome.   If you could do a git bisect down to the commit that
would be even better, if that is within your capability.

If for some reason rejoining is a problem (it can be tedious in a
bisect), just be aware of these notes on downgrading the DB in-place:

https://wiki.samba.org/index.php/Downgrading_an_Active_Directory_DC

Thank you so much for reporting this issue, I hope we get to the bottom
soon!

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba