Bug 15519 - LDB module aclread_search skips DSACL checks for SAMR calls
Summary: LDB module aclread_search skips DSACL checks for SAMR calls
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DCE-RPCs and pipes (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
Depends on:
Reported: 2023-11-13 17:26 UTC by Arvid Requate
Modified: 2023-11-14 11:38 UTC (History)
3 users (show)

See Also:

dirty-hack.patch (1.71 KB, patch)
2023-11-13 19:16 UTC, Arvid Requate
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate 2023-11-13 17:26:21 UTC
In case a Domain Admin has adjusted DSACLs to restrict read access e.g. to the "member" attribute, the SAMR call QueryGroupInfo still reports the information. Thus, admins cannot restrict visibility of group memberships like they can in MS AD. In this aspect, Samba differs from the behavior of MS AD.

Judging from the code, it looks like aclread_search skips checks for non-LDAP-calls:


Since source4/ldap_server/ldap_backend.c explicitly calls ldb_req_mark_untrusted(req) to trigger the ACL checks, maybe a similar thing should be done in source4/rpc_server/samr/dcesrv_samr.c.
Comment 1 Arvid Requate 2023-11-13 19:16:15 UTC
Created attachment 18182 [details]

This kind of shows what would help to get the ACL check working, but I guess this is not very great and the exact behavior of AD would need to be checked.
Comment 2 Stefan Metzmacher 2023-11-14 10:02:02 UTC
Comment on attachment 18182 [details]

I think we should just remove the ldb_req_is_untrusted check in aclread_search()
at least if there's a session info attached to the ldb_context.

We can rely on LDB_MODULE_HOOK_CMDLINE_PRECONNECT to setup system_session()
and just check dsdb_module_am_system() in aclread_search().
Comment 3 Arvid Requate 2023-11-14 11:38:23 UTC
FYI I checked behavior of MS (2019 client joined to 2012 AD DC):

* If I add a ACE to "Domain Admins" via ADUC to deny full access to some user, then the command 'net group "domain admins" /domain' directly returns "System error 5 has occurred" and "Access denied".

* If I more specifically deny read access to "member" only, then the first RPC Call samr_QueryDomainInfo succeeds and group name and description are shown to the user but then the same error code and message are returned for the second RPC call samr_QueryGroupMember (instead of an empty list of members which my dirty hack would return).