[Samba] LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?

Andrew Bartlett abartlet at samba.org
Mon Nov 6 19:24:27 UTC 2023 

On Mon, 2023-11-06 at 15:51 +0100, Kees van Vloten via samba wrote:
> Op 06-11-2023 om 15:40 schreef Jonathan Hunter:
> > On Mon, 6 Nov 2023 at 14:32, Kees van Vloten <
> > keesvanvloten at gmail.com
> > > wrote:
> > > Op 06-11-2023 om 14:58 schreef Jonathan Hunter:
> > > > Interestingly, I've now found that (on my current DCs, running
> > > > 4.18.5), ldbsearch *does* seem to return the expected result,
> > > > but the
> > > > same query via ldapsearch does not.
> > > 
> > > What if you try to use starttls instead of ldaps?
> > > 
> > > ldapseach -H ldap://dc2.mydomain.org-ZZ -x -W -D
> > > Administrator at mydomain
> > > -b "dc=mydomain,dc=org"
> > > "(&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113
> > > 556.1.4.1941:=CN=somegroup,OU=someou,DC=mydomain,DC=org))"
> > 
> > Good thinking. Unfortunately, identical results with ldap:// and
> > -ZZ,
> > the search still doesn't return any results :(
> > 
> > I'll figure out a way to script restoration of the domain into
> > different samba versions via docker, and use git bisect to track
> > down
> > when things changed.
> 
> Another thought: you could share your smb.conf, perhaps somebody
> finds 
> the culprit, if  that's the issue.

None of this is controlled via the smb.conf, so don't stress with
that.  Yes, docker would be fine, and a good idea, you don't need the
sysvol files for a bisect of this.

But what I will say is that if this works locally but fails over LDAP
is that is is permissions.  We had to make some pretty drastic changes
to the permissions handling to avoid side channel attacks on filters
and that will be the change here, so if a full bisect is overwhelming,
just do before and after the CVEs on the LDAP confidential attributes
(there were two sets).

Also, as a data point, just try adding memberOf as a returned attribute
and see if it 'fixes' it. 

Andrew Bartlett


-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions

More information about the samba mailing list