Bug 10493 - LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN not working
Summary: LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN not wo...
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.3.0rc1
Hardware: x64 Linux
: P3 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
Depends on: 11137
  Show dependency treegraph
Reported: 2014-03-10 09:16 UTC by Felix Zachlod
Modified: 2016-06-07 23:14 UTC (History)
7 users (show)

See Also:

4.2 patch cherry-picked from master (46.48 KB, patch)
2015-03-06 02:41 UTC, Andrew Bartlett
abartlet: review? (jelmer)
Patch to remove this feature from 4.3 (15.23 KB, patch)
2015-08-17 04:31 UTC, Andrew Bartlett
no flags Details
Patch to remove this feature from 4.3 (15.44 KB, patch)
2015-08-17 04:33 UTC, Andrew Bartlett
metze: review+

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Zachlod 2014-03-10 09:16:35 UTC
According to http://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx

on a MS AD controller the extended rule 1.2.840.113556.1.4.1941 ("LDAP_MATCHING_RULE_IN_CHAIN") can be used to find transitive group memberships from an Active Directory.

This does not work on Samba4 LDB.

ldapsearch returns an empty result and ldbsearch returns 

ldb: unknown extended rule_id 1.2.840.113556.1.4.1941

That means there is currently no possibility to check for nested group memberships with a simple ldap query on Samba 4.
Comment 1 Felix Zachlod 2014-03-10 12:18:38 UTC
I tested this agains a mixed domain consisting of a samba 4.1 dc and a win 2k8 r2 dc. The win 2k8 correctly answers with all nested groups trying this:

ldapsearch -LLL -H ldap://host.name.local -x -D 'DOMAIN\Administrator' -w 'password' -b 'ou=XXX,dc=domain,dc=company,dc=loc' 'member:1.2.840.113556.1.4.1941:=cn=User CN,ou=XXX,dc=domain,dc=company,dc=loc'

The Samba 4.1 does not return anything
Comment 2 François Conil 2015-02-19 22:43:14 UTC
Having the exact same issue with samba 4.1.11+dfsg-1~bpo70+1 on debian x64.
Comment 3 Andrew Bartlett 2015-02-19 22:51:10 UTC
A fix for this is in Samba git master.
Comment 4 Andrew Bartlett 2015-03-06 02:41:27 UTC
Created attachment 10824 [details]
4.2 patch cherry-picked from master

This patch is on the basis that the subunit backport patch series is appropriate for 4.2.
Comment 5 Suffield Academy 2015-08-04 14:32:20 UTC
User testing notes here.

We applied "4.2 patch cherry-picked from master" on Debian amd64 to
sernet-samba-4.2.2 sources and re-built debs.

Confirmed that the transitive search worked correctly for a small test

However, extended testing caused samba to panic when we tested a
transitive search with a non-existant group DN in the search.

For example, the following works:

ldbsearch -H /var/lib/samba/private/sam.ldb -s sub -b \
"dc=ad,dc=example,dc=org" \
'(memberOf:1.2.840.113556.1.4.1941:=CN=Domain Admins,CN=Users,DC=ad,DC=example,DC=org)'

However, this causes a panic (note the misspelling of the final domain component):

ldbsearch -H /var/lib/samba/private/sam.ldb -s sub -b \
"dc=ad,dc=example,dc=org" \
'(memberOf:1.2.840.113556.1.4.1941:=CN=Domain Admins,CN=Users,DC=ad,DC=example,DC=orgs)'

INTERNAL ERROR: Signal 11 in pid 18256
Please read the Trouble-Shooting section of the Samba HOWTO
PANIC: internal error

We reverted to sernet-4.2.2 without patches, and the search fails but
does not cause a panic:

ldbsearch -H /var/lib/samba/private/sam.ldb -s sub -b \
"dc=ad,dc=example,dc=org" \
'(memberOf:1.2.840.113556.1.4.1941:=CN=Domain Admins,CN=Users,DC=ad,DC=example,DC=orgs)' \
ldb: unknown extended rule_id 1.2.840.113556.1.4.1941

So we believe the bug is introduced in the patch.
Comment 6 Andrew Bartlett 2015-08-16 05:02:37 UTC
We should probably revert this for 4.3, until someone has the time to fix it.  

Samuel / Kamen,

My view is that we will need a fix and matching tests to keep this in.  Do you have any time to look at this?
Comment 7 Andrew Bartlett 2015-08-16 05:03:28 UTC

What is the right way to flag that we need to deal with this one way or the other for 4.3?

Comment 8 Andrew Bartlett 2015-08-17 04:31:23 UTC
Created attachment 11341 [details]
Patch to remove this feature from 4.3

Sadly with only a day to go before the last RC of Samba 4.3, we have no choice but to back this out of the release.

I'll also submit this to samba-technical.  Hopefully I can get Adrian to look at the proper fix for 4.4.
Comment 9 Andrew Bartlett 2015-08-17 04:33:56 UTC
Created attachment 11342 [details]
Patch to remove this feature from 4.3

This version has signed-off-by and BUG tags.
Comment 10 Stefan Metzmacher 2015-08-17 20:05:37 UTC
Comment on attachment 11342 [details]
Patch to remove this feature from 4.3

Pushed to autobuild-v4-3-test
Comment 11 Stefan Metzmacher 2015-08-18 11:31:09 UTC
Pushed to v4-3-test
Comment 12 Andrew Bartlett 2015-08-18 21:49:38 UTC
Thanks metze.  Re-opening to remember that we want the feature to work in the long term.
Comment 13 Andrew Bartlett 2015-12-13 04:05:57 UTC
The segfault has been found and new tests added, so we may be able to return this to Samba soon.
Comment 14 Garming Sam 2016-03-13 22:19:23 UTC
The patches are now again in master and should be in the 4.4 release.