[Samba] LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?
Jonathan Hunter
jmhunter1 at gmail.com
Fri Nov 10 15:50:01 UTC 2023
On Fri, 10 Nov 2023 at 02:57, Andrew Bartlett <abartlet at samba.org> wrote:
>
> On Thu, 2023-11-09 at 23:29 +0000, Jonathan Hunter via samba wrote:
> > Hi Andrew,
> >
> > Sorry for the couple of days silence; I've been creating a bash
> > script to use with 'git bisect' (it's been a little slow in my testing
>
> No worries! Most folks just run away when I suggest it, but is a good
> way to get a lead on a problem that doesn't involve deep diagnostics on
> my side, so is an efficient way that I can get users to help, without stretching me too thin.
Indeed.
Whilst I have no expectation that my test script is efficient or
optimal in any way, I couldn't see an existing guide on the samba wiki
so I created a page that should hopefully help others, using my script
as an initial example
https://wiki.samba.org/index.php?title=Using_git_bisect_to_locate_a_Samba_issue
> > As of 4.18.5:
> > - ldbsearch -H ldap:// - FAIL
> > - ldbsearch -H sam.ldb - PASS
> > - ldapsearch -H ldap:// - FAIL
>
> OK, so it most likely the permissions handling.
>
> If your automated bisect becomes a pain, or you want to debug in the
> traditional way, look into permissions and ensure your connecting user
> can see all the way down the chain, and check if specifying the matched
> attribute helps.
Thank you.
The git bisect has now finished, and you may share my lack of surprise
at the eventual commit it landed on :)
0776ce5caedf18aa8cc1d1dddb1a425f3d0c926c is the first bad commit
commit 0776ce5caedf18aa8cc1d1dddb1a425f3d0c926c
CVE-2023-0614 lib/ldb-samba Ensure ACLs are evaluated on
SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL / L
DAP_MATCHING_RULE_IN_CHAIN
I've created a bug for this in bugzilla, hope that's helpful:
https://bugzilla.samba.org/show_bug.cgi?id=15515
Let me know how I can help next,
Thanks
Jonathan
More information about the samba
mailing list