Bug 14225 - creating ou AND user/group with same name MUST be forbidden
Summary: creating ou AND user/group with same name MUST be forbidden
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.12.2
Hardware: All All
: P5 major (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-12-23 10:39 UTC by Björn Jacke
Modified: 2020-05-04 23:23 UTC (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Björn Jacke 2019-12-23 10:39:20 UTC
with Samba it's possible create an organizationalUnit with the same name as the CN of a user or a group. This results in non-unique "name" attributes and MUST be forbidden. A windows AD controller also does not allow this. This bug was found by Harry, I'll cc him here.
Comment 1 Björn Jacke 2020-05-04 10:36:54 UTC
using ldbedit agains w2k16:

adding a new user "ou2", where an OU with the same name exists results in this reply:

failed to add CN=ou2,OU=test-ou,DC=wdom2,DC=site - LDAP error 68 LDAP_ENTRY_ALREADY_EXISTS -  <00002071: UpdErr: DSID-030503C4, problem 6005 (ENTRY_EXISTS), data 0
> <>


adding a new OU "foo1", where a user with the same name exists results in this reply:

failed to add OU=foo1,OU=test-ou,DC=wdom2,DC=site - LDAP error 68 LDAP_ENTRY_ALREADY_EXISTS -  <00002071: UpdErr: DSID-030503C4, problem 6005 (ENTRY_EXISTS), data 0
> <>

This is what Samba should also return here. Samba currently allows creating those object without throwing an error.
Comment 2 Andrew Bartlett 2020-05-04 21:46:16 UTC
As noted, in Windows AD, the uniqueness constraint is on the RDN value, not the full RDN.

This is going to be really tricky to fix, not because of the extra LDB behaviour (not too hard really, just a new unique index), but because we will need to enforce this after an upgrade, and there may be a DB out there with these duplicates already.

Is this something you are looking to fix, or is this just a note so we have a place to start if somebody had the time?
Comment 3 Björn Jacke 2020-05-04 23:23:23 UTC
I mainly added this to collect information here. If you (or someone) else want to look into it, that would be very much appreciated.