14906 – securityIdentifier attribute is not validated for syntax 2.5.5.17

Bug 14906 - securityIdentifier attribute is not validated for syntax 2.5.5.17

Summary: securityIdentifier attribute is not validated for syntax 2.5.5.17

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.15.2
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2021-11-15 16:18 UTC by Denis Cardon
Modified:	2021-11-17 21:58 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Denis Cardon 2021-11-15 16:18:47 UTC

There is no check on the syntax 2.5.5.17 of securityIdentifier when saving the value.

MS-AD will refuse to save if the syntax is not a hex string representation of a objectSID. Samba-AD will accept any hex string.

I have seen this issue at a client who was using the securityIdentifier to store the SHA1 string of the user password (no comments). 

When adding a MS-AD in the domain, initial join does works but subsequent replications fail. 

This is not a show stopper, but I had this case at a client today. Actually I'm not even clear on what this attribute's purpose is...

NDR unpack is complaining when displaying the corrupt user entry with a ldbsearch or a samba-tool user show.

How to reproduce:
* add a random string to the securityIndentifier attribute of a user
* samba-tool user show myser -> see the NDR unpack error
* try to join a MS-AD, replication fails after initial join