samba - Nov 2023 - LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?

On Thu, 2023-11-09 at 23:29 +0000, Jonathan Hunter via samba
wrote:
> Hi Andrew,
> 
> Sorry for the couple of days silence; I've been creating a bash
> script
> to use with 'git bisect' (it's been a little slow in my
testing, as
> the script compiles each version before testing the query with
> ldapsearch, and it takes a little while to re-run when I have been
> debugging it)
No worries!  Most folks just run away when I suggest it, but is a good
way to get a lead on a problem that doesn't involve deep diagnostics on
my side, so is an efficient way that I can get users to help, without stretching
me too thin.
> On Mon, 6 Nov 2023 at 19:30, Andrew Bartlett <
> abartlet at samba.org
> > wrote:
> > > Op 06-11-2023 om 14:58 schreef Jonathan Hunter:
> > > > Interestingly, I've now found that (on my current DCs,
running
> > > > 4.18.5), ldbsearch *does* seem to return the expected
result,
> > > > but
> > > > the
> > > > same query via ldapsearch does not.
> > 
> > Just to narrow this down, can you look into ldbsearch -H ldap:// vs
> > ldapsearch -H ldap://
> > 
> > This will eliminate some protocol issues between the codebases.
> 
> Of course.
> 
> As of 4.18.5:
> - ldbsearch -H ldap:// - FAIL
> - ldbsearch -H sam.ldb - PASS
> - ldapsearch -H ldap:// - FAIL
OK, so it most likely the permissions handling. 

If your automated bisect becomes a pain, or you want to debug in the
traditional way, look into permissions and ensure your connecting user
can see all the way down the chain, and check if specifying the matched
attribute helps.
> I'm trying my 'git bisect' script overnight but I'm not
certain I
> have
> it 100% right yet. If that does fail I can always manually pick a
> couple of tags/commits to try individually - you suggested I pick out
> the CVE changes from the log, which I'll then do if I can't get
'git
> bisect' working in the next couple of days.
Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions

On Fri, 10 Nov 2023 at 02:57, Andrew Bartlett <abartlet at samba.org>
wrote:
>
> On Thu, 2023-11-09 at 23:29 +0000, Jonathan Hunter via samba wrote:
> > Hi Andrew,
> >
> > Sorry for the couple of days silence; I've been creating a bash
> > script to use with 'git bisect' (it's been a little slow
in my testing
>
> No worries!  Most folks just run away when I suggest it, but is a good
> way to get a lead on a problem that doesn't involve deep diagnostics on
> my side, so is an efficient way that I can get users to help, without
stretching me too thin.
Indeed.

Whilst I have no expectation that my test script is efficient or
optimal in any way, I couldn't see an existing guide on the samba wiki
so I created a page that should hopefully help others, using my script
as an initial example

https://wiki.samba.org/index.php?title=Using_git_bisect_to_locate_a_Samba_issue
> > As of 4.18.5:
> > - ldbsearch -H ldap:// - FAIL
> > - ldbsearch -H sam.ldb - PASS
> > - ldapsearch -H ldap:// - FAIL
>
> OK, so it most likely the permissions handling.
>
> If your automated bisect becomes a pain, or you want to debug in the
> traditional way, look into permissions and ensure your connecting user
> can see all the way down the chain, and check if specifying the matched
> attribute helps.
Thank you.

The git bisect has now finished, and you may share my lack of surprise
at the eventual commit it landed on :)

0776ce5caedf18aa8cc1d1dddb1a425f3d0c926c is the first bad commit
commit 0776ce5caedf18aa8cc1d1dddb1a425f3d0c926c
   CVE-2023-0614 lib/ldb-samba Ensure ACLs are evaluated on
SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL / L
DAP_MATCHING_RULE_IN_CHAIN

I've created a bug for this in bugzilla, hope that's helpful:
https://bugzilla.samba.org/show_bug.cgi?id=15515

Let me know how I can help next,

Thanks

Jonathan