Bug 11751 - samr_GetAliasMembership fails if user DN contains '( )'
Summary: samr_GetAliasMembership fails if user DN contains '( )'
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.4.0rc3
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
Depends on:
Reported: 2016-02-24 17:53 UTC by Mantas Mikulėnas (grawity)
Modified: 2016-07-29 02:36 UTC (History)
3 users (show)

See Also:

patch (1.81 KB, patch)
2016-02-24 17:53 UTC, Mantas Mikulėnas (grawity)
abartlet: review+
abartlet: review? (garming)

Note You need to log in before you can comment on or make changes to this bug.
Description Mantas Mikulėnas (grawity) 2016-02-24 17:53:45 UTC
Created attachment 11869 [details]

With Samba 4.4-rc, certain Windows features like `net user %USERNAME% /domain` or the "Advanced Security Settings → Effective Permissions" fail with the error message:

"The security database is corrupted."

This seems to happen when the user's DN contains a '(', causing dcesrv_samr_GetAliasMembership() to generate an invalid LDAP filter.

Attaching a patch based on commit 841845dea35089a187fd1626c9752d708989ac7b, which fixes an identical problem in another function.
Comment 1 Andrew Bartlett 2016-02-24 21:30:03 UTC
Comment on attachment 11869 [details]

Reviewed-by: Andrew Bartlett <abartlet@samba.org>

I'll see about getting this into Samba shortly!
Comment 2 Mantas Mikulėnas (grawity) 2016-04-29 07:06:00 UTC
Given the r+, would be nice to see this in Samba 4.5
Comment 3 Andrew Bartlett 2016-07-29 02:36:28 UTC
Fixed in 37ef959f37dc57302ff5824ff3223617863aad3e in 4.5.0rc1