[Samba] LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?
Yohannès ALEMU
yalemu at tranquil.it
Wed Nov 29 14:22:07 UTC 2023
Hi Jonathan and Andrew,
> Reminder of my original LDAP query:
> (&
> (objectCategory=Person)
> (sAMAccountName=*)
> (memberOf:1.2.840.113556.1.4.1941:=CN=mygroup,OU=myou,DC=mydomain,DC=org)
> )
I came across the same/similar issue yesterday and found the origin that
triggered the issue (at least in my case). I've added a response to your
bugzilla entry [1].
To make it short, if you have a GPO where "Authenticated Users" security
token has been removed from the ACE, then the
memberOf:1.2.840.113556.1.4.1941 OID does not works anymore for anyone
but "Domain admins" members...
It look like a bug introduced when fixing the CVE-2023-0614. I didn't
had time to investigated more as it was ok to re-introduce
"Authenticated Users" to those GPO (the delegated admin was a bit too
zealous when removing that security token).
Cheers,
Yohannès, Simon and Denis
[1] https://bugzilla.samba.org/show_bug.cgi?id=15515
>
> Thank you!
>
> Jonathan
>
> "If we knew what it was we were doing, it would not be called
> research, would it?"
> - Albert Einstein
>
*Yohannès ALEMU*
*Team Leader Technique*
Tranquil IT
12 avenue Jules Verne (Bât. A)
44230 Saint Sébastien sur Loire (FRANCE)
tel: +33 (0) 240 975 755
------------------------------------------------------------------------
Signature de mail : Démonstrations
<https://www.tranquil.it/demonstrationsgroupees/>
<https://www.tranquil.it/demonstrationsgroupees/>
More information about the samba
mailing list