Bug 10763 - LDAP search by objectSid with a lowercase 's' returns no results
Summary: LDAP search by objectSid with a lowercase 's' returns no results
Status: ASSIGNED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-08-07 12:46 UTC by Amon Sha
Modified: 2024-06-05 22:51 UTC (History)
4 users (show)

See Also:


Attachments
Patch ldif_comparision_objectSid_isString function to accept lower-case SIDs (443 bytes, patch)
2014-08-07 12:48 UTC, Amon Sha
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Amon Sha 2014-08-07 12:46:14 UTC
When searching LDAP with objectSid filter, like

ldapsearch -b 'dc=example,dc=com' objectSid=s-1-5-32

there are no results (should be "cn=Builtin,dc=example,dc=com).

Attached patch fixes the bug.
Comment 1 Amon Sha 2014-08-07 12:48:05 UTC
Created attachment 10183 [details]
Patch ldif_comparision_objectSid_isString function to accept lower-case SIDs
Comment 2 Andrew Bartlett 2017-01-03 03:08:53 UTC
As far as I'm aware, the objectSID=S-1-5-32 style filter is a Samba extension.  Therefore I would prefer to keep it strict, for performance and consistency. 

See http://blog.schertz.name/2008/03/searching-ad-for-a-user-account-with-a-sid/ for the contortions Micorsoft makes Windows admins to to search, and please accept using an upper case S.

Thanks!
Comment 3 Amon Sha 2017-01-04 14:32:51 UTC
Well, I cannot remember the exact scenario (hell, it's over 9000^W two years), but it was definitely a Microsoft product I was installing when I'd encountered the issue. It was some component of a Sharepoint 2013 farm.

To make sure, I've just installed a test AD on Windows Server 2012 R2 (with domain/forest functional level 2008) and tried an ldapsearch with objectSid=S-1-5-32 style filter against it. Both uppercase and lowercase filters work perfectly.

BTW, Novell DSfW (which we are using at the moment, while planning to migrate to Samba) also supports both upper- and lowercase objectSid searches.

It's not clear from the blog post mentioned, which AD version/functional level was being used. Might be that objectSid=S-1-5-32 style filters were only introduced in 2008.
Comment 4 Andrew Bartlett 2017-01-04 18:35:15 UTC
Thanks.  Sorry for the horribly long delay in even looking at these bugs properly.  

I'll get this sorted out. 

I didn't know DSfW still existed!  I look forward to your migration to Samba.
Comment 5 Amon Sha 2017-01-04 19:40:08 UTC
Yeah, DSfW is still alive and moving! Will be too for quite some time, until the new management at Micro Focus finds out Samba is the way to the bright future ;)

Not blaming you for taking so long to look at the bug report, cause it was not too serious.

And yes, Andrew, thank you very much for all the work you've done and keep doing!
Comment 6 Björn Jacke 2017-01-09 14:32:52 UTC
please close the bug accordingly if you agree that this is not a bug.
Comment 7 Andrew Bartlett 2017-01-09 18:37:24 UTC
To be clear, thanks for the patch.  Given the clarification I'm inclined to include it, or something similar.  The only thing blocking it now is a test, so we don't regress.
Comment 8 Samba QA Contact 2024-05-08 00:27:12 UTC
This bug was referenced in samba master:

ae4f095586e50d765f404cd85e9aacf21e84892d
fb724c61107b76d32b500802f960aa8e049ccbd8
473502d170190b6bfe8da29708d347b16e0a2f7f
edf9b282ba6e3fc089ab2d8a4db122b300b95fe4
d801ed8b11125527b0b8193c8d0e430b5fb2c3a7
be5fd9a3a1b91dbd41e2bd0b025e3d3ffb598463
c6c7cb8d4ba0e115034f4f0f7ff4a9943e54d914
8c702735641aaad58c317843c547249c6bd1c716
3e899ef5bfa67a12e8eb18cbebc06367f37a8376
bf4af1a28a3580223fcc3a861c7fdd1b43f234d1
Comment 9 Douglas Bagnall 2024-06-05 22:51:00 UTC
Fixed in master (4.21).

If anyone wants to backport, shout out. Otherwise I will either close this in a few weeks, or forget and someone can close it when all supported versions are >= 4.21.