Jonathan Hunter
2023-Nov-22 17:33 UTC
[Samba] LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?
On Wed, 22 Nov 2023 at 01:03, Andrew Bartlett <abartlet at samba.org> wrote:> Are you sure that the ACLs on all the items in the chain should allow reading?It's an excellent question, thank you - I'd like to just say "Yes" but I will certainly check, as it's of course possible that my domain was misconfigured previously, and the change has in fact introduced correct behaviour.. Am I right in thinking that the objects I need to look at are - the group itself - all (some?) members of the group - any others? Are permissions checked in a hiearchical fashion, i.e. if OU=myou does not allow a particular user to read it, then would CN=somegroup,OU=myou still be denied regardless of the explicit permissions on the CN=somegroup,OU=myou object? And I believe I'm correct in thinking that a user can be a member of a group, even though that user might not have permission to read the group themselves...? Is there a programmatical way of viewing permissions on all these objects, or am I best manually going through with the 'ldifde' Windows tool (which I think is what I originally used to set the permissions in the first place)? Many thanks Jonathan -- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein
Rowland Penny
2023-Nov-22 17:49 UTC
[Samba] LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?
On Wed, 22 Nov 2023 17:33:37 +0000 Jonathan Hunter via samba <samba at lists.samba.org> wrote:> On Wed, 22 Nov 2023 at 01:03, Andrew Bartlett <abartlet at samba.org> > wrote: > > Are you sure that the ACLs on all the items in the chain should > > allow reading? > > It's an excellent question, thank you - I'd like to just say "Yes" but > I will certainly check, as it's of course possible that my domain was > misconfigured previously, and the change has in fact introduced > correct behaviour.. > > Am I right in thinking that the objects I need to look at are > - the group itself > - all (some?) members of the group > - any others? > > Are permissions checked in a hiearchical fashion, i.e. if OU=myou does > not allow a particular user to read it, then would > CN=somegroup,OU=myou still be denied regardless of the explicit > permissions on the CN=somegroup,OU=myou object? And I believe I'm > correct in thinking that a user can be a member of a group, even > though that user might not have permission to read the group > themselves...? > > Is there a programmatical way of viewing permissions on all these > objects, or am I best manually going through with the 'ldifde' > Windows tool (which I think is what I originally used to set the > permissions in the first place)? > > Many thanks > > Jonathan >samba-tool dsacl get --help Rowland
Andrew Bartlett
2023-Nov-22 20:22 UTC
[Samba] LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?
On Wed, 2023-11-22 at 17:33 +0000, Jonathan Hunter wrote:> On Wed, 22 Nov 2023 at 01:03, Andrew Bartlett < > abartlet at samba.org > > wrote: > > Are you sure that the ACLs on all the items in the chain should > > allow reading? > > It's an excellent question, thank you - I'd like to just say "Yes" > but > I will certainly check, as it's of course possible that my domain was > misconfigured previously, and the change has in fact introduced > correct behaviour.. > > Am I right in thinking that the objects I need to look at are > - the group itself > - all (some?) members of the group > - any others?The full chain.> Are permissions checked in a hiearchical fashion, i.e. if OU=myou > does > not allow a particular user to read it, then would > CN=somegroup,OU=myou still be denied regardless of the explicit > permissions on the CN=somegroup,OU=myou object?That is what I am getting at. The full chain must be checked.> And I believe I'm > correct in thinking that a user can be a member of a group, even > though that user might not have permission to read the group > themselves...?They can be members, when Samba assigns group memberships it does as 'system' via other code, but reading them via this mechanism for an unprivileged user won't work. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead https://catalyst.net.nz/services/samba Catalyst.Net Ltd Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company Samba Development and Support: https://catalyst.net.nz/services/samba Catalyst IT - Expert Open Source Solutions
Jonathan Hunter
2023-Nov-22 23:36 UTC
[Samba] LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?
(I meant 'ldp', of course, which is the graphical tool I used for exploring and setting permissions - rather than 'ldifde'). I'm just wondering if there is a commandline way to view permissions on objects in the tree, ideally from samba / Linux but perhaps from Windows. On Wed, 22 Nov 2023 at 17:33, Jonathan Hunter <jmhunter1 at gmail.com> wrote:> > On Wed, 22 Nov 2023 at 01:03, Andrew Bartlett <abartlet at samba.org> wrote: > > Are you sure that the ACLs on all the items in the chain should allow reading? > > It's an excellent question, thank you - I'd like to just say "Yes" but > I will certainly check, as it's of course possible that my domain was > misconfigured previously, and the change has in fact introduced > correct behaviour.. > > Am I right in thinking that the objects I need to look at are > - the group itself > - all (some?) members of the group > - any others? > > Are permissions checked in a hiearchical fashion, i.e. if OU=myou does > not allow a particular user to read it, then would > CN=somegroup,OU=myou still be denied regardless of the explicit > permissions on the CN=somegroup,OU=myou object? And I believe I'm > correct in thinking that a user can be a member of a group, even > though that user might not have permission to read the group > themselves...? > > Is there a programmatical way of viewing permissions on all these > objects, or am I best manually going through with the 'ldifde' > Windows tool (which I think is what I originally used to set the > permissions in the first place)? > > Many thanks > > Jonathan > > -- > "If we knew what it was we were doing, it would not be called > research, would it?" > - Albert Einstein-- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein
Seemingly Similar Threads
- LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?
- LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?
- LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?
- LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?
- LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?