[Samba] LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?

[Andrew Bartlett]

On Wed, 2023-11-22 at 00:07 +0000, Jonathan Hunter via samba wrote:
> Hi Andrew
> On Fri, 10 Nov 2023 at 15:50, Jonathan Hunter <jmhunter1 at gmail.com>
> wrote:
> > 0776ce5caedf18aa8cc1d1dddb1a425f3d0c926c is the first bad
> > commitcommit 0776ce5caedf18aa8cc1d1dddb1a425f3d0c926c   CVE-2023-
> > 0614 lib/ldb-samba Ensure ACLs are evaluated
> > onSAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL /
> > LDAP_MATCHING_RULE_IN_CHAIN
> > I've created a bug for this in bugzilla, hope that's helpful:
> > https://bugzilla.samba.org/show_bug.cgi?id=15515
> 
> Is there anything I can do to help with this?
> Looking through git changes, I found this commit with the same
> commitmessage as returned by my 'git bisect' (I am not sure why the
> commitIDs are different to the output of my 'git bisect'?), that
> looks likea very simple change:
> https://gitlab.com/samba-team/samba/-/commit/dfe7b05730425e9f1b0616bb7757dbf77bae6cd2
> (if the view I get from gitlab is correct, it's a one-line change
> tolib/ldb-samba/ldb_matching_rules.c )
> I checked out revision samba-4.19.2 and reverted just this one
> linechange, and can confirm that my LDAP query works correctly again
> inthat scenario.
> I'm sure the fix isn't as simple as "revert the change", as it
> wasadded for a reason - but it seems to have led to a regression for
> meand has broken my LDAP searches that use
> LDAP_MATCHING_RULE_IN_CHAIN.Is there any sensible route I can help
> move this forward?

Are you sure that the ACLs on all the items in the chain should allow
reading?
Andrew Bartlett-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd


Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions