The Samba LDAP server escapes "?" characters in the DN in search results. According to RFC 4514 the "?" is not a character meant to be escaped: String Representation of Distinguished Names: Converting an AttributeValue from ASN.1 to a String: https://tools.ietf.org/html/rfc4514#section-2.4 Therefor e.g. the openldap tools ldap_bv2dn() and ldap_str2dn() fail to parse the DN (DECODING_ERROR). This makes these objects unusable with tools like e.g. python-ldap. To reproduce this: 1. Create container "foo?bar" > $ ldbedit -H /var/lib/samba/private/sam.ldb > dn: CN=foo?bar,DC=school,DC=dev > objectClass: container 2. Search for container: > $ ldbsearch --debug-stderr -H ldaps://localhost -Umaster100$%password 'CN=foo*bar' > # record 1 > dn: CN=foo\?bar,DC=school,DC=dev > objectClass: top > objectClass: container > cn: foo?bar > instanceType: 4 > whenCreated: 20190801201812.0Z > whenChanged: 20190801201812.0Z > uSNCreated: 40925 > uSNChanged: 40925 > showInAdvancedViewOnly: TRUE > name: foo?bar > objectGUID: 29087ce0-cae5-43ba-bf27-3a8bd3c59ea0 > objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=school,DC=dev > distinguishedName: CN=foo\?bar,DC=school,DC=dev See the printed DN, which contains "\?".
indeed. If you add a "?" to a user's DN, then MMC also start to show funny effects and crashes.
(In reply to Björn Jacke from comment #1) So this is also a security issue.
Created attachment 16119 [details] possible patch Are you able to compile with this patch? Looking at the file, it says we follow the older RFC2253, but my reading is that there is no difference there ("Implementations MAY escape other characters", but in that case "the character to be escaped is replaced by a backslash and two hex digits"). Also, I note we don't escape ';' in the proper way. We follow MS Active Directory over the RFC, but there appears to be no difference in this case. https://social.technet.microsoft.com/wiki/contents/articles/5312.active-directory-characters-to-escape.aspx
Created attachment 16120 [details] additional patch fixing ';' and '=' An additional patch for '=' and ';'. The RFCs say these characters { ' ', '"', '#', '+', ',', ';', '<', '=', '>', '\' } must be escaped in the "\c" form. Other characters can be escaped in the two hex digit "\hh" form, but characters in that list can't be.
Thank you for your patches. I built samba with them. Unfortionately the ? character is still escaped.
(In reply to Florian Best from comment #5) OK. The patches work for me in a testenv. My guess is if you add a new 'CN=foo?baz,DC=school,DC=dev', it will not be escaped. In other words, the escaping is being done on the way in. The simple fix will not fix existing question marks. For that we would need a repack.
(In reply to Douglas Bagnall from comment #6) > In other words, the escaping is being done on the way in. This looks to be the case with v2 ldap packing format, introduced in 4.11.
Douglas: can you make those patches into a merge request. so that we can get this fixed?
Björn, unfortunately it is way more complicated than that. We save a canonicalised version of the DN in the database (for fast comparisons), so if we fix the escaping we need to make an upgrade step that goes through and repacks all the objects. Also we need to separate canonicalName escaping from DN escaping. (see https://lists.samba.org/archive/cifs-protocol/2020-August/003511.html)
wouldn't the upcoming 4.14 release be a good chance to get this fixed along with a forced repack?