Bug 14906 - securityIdentifier attribute is not validated for syntax
Summary: securityIdentifier attribute is not validated for syntax
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.15.2
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
Depends on:
Reported: 2021-11-15 16:18 UTC by Denis Cardon
Modified: 2021-11-17 21:58 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Denis Cardon 2021-11-15 16:18:47 UTC
There is no check on the syntax of securityIdentifier when saving the value.

MS-AD will refuse to save if the syntax is not a hex string representation of a objectSID. Samba-AD will accept any hex string.

I have seen this issue at a client who was using the securityIdentifier to store the SHA1 string of the user password (no comments). 

When adding a MS-AD in the domain, initial join does works but subsequent replications fail. 

This is not a show stopper, but I had this case at a client today. Actually I'm not even clear on what this attribute's purpose is...

NDR unpack is complaining when displaying the corrupt user entry with a ldbsearch or a samba-tool user show.

How to reproduce:
* add a random string to the securityIndentifier attribute of a user
* samba-tool user show myser -> see the NDR unpack error
* try to join a MS-AD, replication fails after initial join