Bug 15470 - spurious SID in default schema definition MS-AD_Schema_2K8_R2_Classes.txt
Summary: spurious SID in default schema definition MS-AD_Schema_2K8_R2_Classes.txt
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-09-04 15:30 UTC by Denis Cardon
Modified: 2023-09-08 17:51 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Denis Cardon 2023-09-04 15:30:16 UTC
Hi everyone,

there is a SID S-1-5-21-2848215498-2472035911-1947525656-498 in the default schema definition of Sam-Domain and Domain-DNS object which was added 13 years ago in https://gitlab.com/samba-team/samba/-/commit/ad11deb9bd825d699e2b6799b40d98c28c95910e

I don't think it is a security bug per se, but does not look good when auditing tools flag the security descriptor as non standard.

The security descriptor in the Windows doc does not reference this SID:

https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adsc/9abb5e97-123d-4da9-9557-b353ab79b830
https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-ADSC/%5bMS-ADSC%5d.pdf

Cheers,

Denis
Comment 1 Stefan Metzmacher 2023-09-05 11:39:32 UTC
(In reply to Denis Cardon from comment #0)

Something similar happens during adprep triggered in a pure windows environment... (which doesn't make it any better), but as we don't support SID-Filtering at all yet, this is not a security problem in Samba domains
Comment 2 Denis Cardon 2023-09-05 13:22:44 UTC
Hi Metze,

thanks for your input! After some more investigation, it looks like the SID should be S-1-5-domain-sid-498, while in Samba it is hardcoded to be  S-1-5-21-2848215498-2472035911-1947525656-498 (as per the source4/setup/ad-schema/MS-AD_Schema_2K8_R2_Classes.txt file referenced in the initial bug report).

Cheers,

Denis