The Samba-Bugzilla – Bug 11751
samr_GetAliasMembership fails if user DN contains '( )'
Last modified: 2016-07-29 02:36:36 UTC
Created attachment 11869 [details]
With Samba 4.4-rc, certain Windows features like `net user %USERNAME% /domain` or the "Advanced Security Settings → Effective Permissions" fail with the error message:
"The security database is corrupted."
This seems to happen when the user's DN contains a '(', causing dcesrv_samr_GetAliasMembership() to generate an invalid LDAP filter.
Attaching a patch based on commit 841845dea35089a187fd1626c9752d708989ac7b, which fixes an identical problem in another function.
Comment on attachment 11869 [details]
Reviewed-by: Andrew Bartlett <firstname.lastname@example.org>
I'll see about getting this into Samba shortly!
Given the r+, would be nice to see this in Samba 4.5
Fixed in 37ef959f37dc57302ff5824ff3223617863aad3e in 4.5.0rc1