Bug 15338 - DS ACEs might be inherited to unrelated object classes
Summary: DS ACEs might be inherited to unrelated object classes
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.18.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-03-21 10:19 UTC by Stefan Metzmacher
Modified: 2023-05-31 16:10 UTC (History)
3 users (show)

See Also:

Attachments
Patches for v4-18-test (89.01 KB, patch)
2023-04-12 12:39 UTC, Stefan Metzmacher 		jsutton: review-
Details
Patch for v4-17-test (without tests) (9.59 KB, patch)
2023-04-12 12:40 UTC, Stefan Metzmacher 		jsutton: review+
Details
Patch for v4-18-test (without tests) (9.52 KB, text/plain)
2023-04-27 15:37 UTC, Stefan Metzmacher 		metze: review? (abartlet)
jsutton: review+
Details
Patch for v4-17-test (without tests) (9.52 KB, text/plain)
2023-04-27 15:39 UTC, Stefan Metzmacher 		metze: review? (abartlet)
jsutton: review+
Details
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2023-03-21 10:19:41 UTC 
While inheriting ACEs from a parent AD object to a child object,
we need to check is generic rights and/or special sids e.g. Creator Owner
need to be expanded.

In AD DS ACLs we can have ACEs, which apply only to specific Attributes/PropertySets(a group of attributes) and/or to specific object classes.

Using adprep 2016 means each object inherits an ACE for Creator Owner
from the Domain object, but this ACE should only apply to computer objects.
But we clear the INTERHIT_ONLY flag and expand the Creator Owner SID
on all objects. This was found be a check in dbcheck, which is supposed to fix
a similar problem we had in the past.
Comment 1 Samba QA Contact 2023-03-22 23:06:07 UTC 
This bug was referenced in samba master:

7b0d5285361e6dc40e09bc0d36bb2aae5d5a86a7
e0a8e043d339cf5e1c9b2643e6d151ab2ae81c05
2436d621d1940f127f164ca227a14b1d9b573eb5
6de4849f9cacbe7e08834fa340a70f7aebe9e6f9
731c85add116b8ab192d9a2d3bc56296635a226d
a0217c50e920557046628bb171f2addea2ad7416
bb09c06d6d58a04e1d270a9f99d1179cfa9acbda
Comment 2 Stefan Metzmacher 2023-04-12 12:39:49 UTC 
Created attachment 17860 [details]
Patches for v4-18-test
Comment 3 Stefan Metzmacher 2023-04-12 12:40:27 UTC 
Created attachment 17861 [details]
Patch for v4-17-test (without tests)
Comment 4 Jo Sutton 2023-04-12 21:31:44 UTC 
Comment on attachment 17860 [details]
Patches for v4-18-test

Tests now fail with:

Exception: Exception: Traceback (most recent call last):
  File "/data/samba/source4/dsdb/tests/python/sec_descriptor.py", line 195, in setUp
    self.deleteAll()
  File "/data/samba/source4/dsdb/tests/python/sec_descriptor.py", line 187, in deleteAll
    self.sd_utils.dacl_delete_aces(self.schema_dn, mod)
AttributeError: 'SDUtils' object has no attribute 'dacl_delete_aces'

I think this depends on some of the commits from https://gitlab.com/samba-team/samba/-/merge_requests/2983.
Comment 5 Stefan Metzmacher 2023-04-27 15:37:51 UTC 
Created attachment 17874 [details]
Patch for v4-18-test (without tests)
Comment 6 Stefan Metzmacher 2023-04-27 15:39:11 UTC 
Created attachment 17875 [details]
Patch for v4-17-test (without tests)
Comment 7 Stefan Metzmacher 2023-04-27 15:39:55 UTC 
(In reply to Joseph Sutton from comment #4)

I think it's easier to also skip the tests for 4.18
Comment 8 Jule Anger 2023-04-28 14:14:13 UTC 
Pushed to autobuild-v4-{18,17}-test.
Comment 9 Samba QA Contact 2023-04-28 15:18:11 UTC 
This bug was referenced in samba v4-18-test:

2a20fbdbd7860582f332d8e38dbca2446e2bf0fa
Comment 10 Samba QA Contact 2023-04-28 15:58:04 UTC 
This bug was referenced in samba v4-17-test:

65168f33f95906b2c9fb38465c8ab2e799d3942d
Comment 11 Jule Anger 2023-05-05 11:41:49 UTC 
Closing out bug report.

Thanks!
Comment 12 Samba QA Contact 2023-05-11 07:11:52 UTC 
This bug was referenced in samba v4-17-stable (Release samba-4.17.8):

65168f33f95906b2c9fb38465c8ab2e799d3942d
Comment 13 Samba QA Contact 2023-05-31 16:10:37 UTC 
This bug was referenced in samba v4-18-stable (Release samba-4.18.3):

2a20fbdbd7860582f332d8e38dbca2446e2bf0fa