11751 – samr_GetAliasMembership fails if user DN contains '( )'

Bug 11751 - samr_GetAliasMembership fails if user DN contains '( )'

Summary: samr_GetAliasMembership fails if user DN contains '( )'

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.4.0rc3
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Andrew Bartlett
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-02-24 17:53 UTC by Mantas Mikulėnas (grawity)
Modified:	2016-07-29 02:36 UTC (History)
CC List:	3 users (show)

See Also:

Attachments
patch (1.81 KB, patch) 2016-02-24 17:53 UTC, Mantas Mikulėnas (grawity)	abartlet: review+ abartlet: review? (garming)	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mantas Mikulėnas (grawity) 2016-02-24 17:53:45 UTC

Created attachment 11869 [details]
patch

With Samba 4.4-rc, certain Windows features like `net user %USERNAME% /domain` or the "Advanced Security Settings → Effective Permissions" fail with the error message:

"The security database is corrupted."

This seems to happen when the user's DN contains a '(', causing dcesrv_samr_GetAliasMembership() to generate an invalid LDAP filter.

Attaching a patch based on commit 841845dea35089a187fd1626c9752d708989ac7b, which fixes an identical problem in another function.

Comment 1 Andrew Bartlett 2016-02-24 21:30:03 UTC

Comment on attachment 11869 [details]
patch

Reviewed-by: Andrew Bartlett <abartlet@samba.org>

I'll see about getting this into Samba shortly!

Comment 2 Mantas Mikulėnas (grawity) 2016-04-29 07:06:00 UTC

Given the r+, would be nice to see this in Samba 4.5

Comment 3 Andrew Bartlett 2016-07-29 02:36:28 UTC

Fixed in 37ef959f37dc57302ff5824ff3223617863aad3e in 4.5.0rc1