samba - Nov 2023 - LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?

On Wed, 22 Nov 2023 at 01:03, Andrew Bartlett <abartlet at samba.org>
wrote:
> Are you sure that the ACLs on all the items in the chain should allow
reading?
It's an excellent question, thank you - I'd like to just say
"Yes" but
I will certainly check, as it's of course possible that my domain was
misconfigured previously, and the change has in fact introduced
correct behaviour..

Am I right in thinking that the objects I need to look at are
- the group itself
- all (some?) members of the group
- any others?

Are permissions checked in a hiearchical fashion, i.e. if OU=myou does
not allow a particular user to read it, then would
CN=somegroup,OU=myou still be denied regardless of the explicit
permissions on the CN=somegroup,OU=myou object? And I believe I'm
correct in thinking that a user can be a member of a group, even
though that user might not have permission to read the group
themselves...?

Is there a programmatical way of viewing permissions on all these
objects, or am I best manually going through with the 'ldifde'
Windows tool (which I think is what I originally used to set the
permissions in the first place)?

Many thanks

Jonathan

-- 
"If we knew what it was we were doing, it would not be called
research, would it?"
      - Albert Einstein

On Wed, 22 Nov 2023 17:33:37 +0000
Jonathan Hunter via samba <samba at lists.samba.org> wrote:
> On Wed, 22 Nov 2023 at 01:03, Andrew Bartlett <abartlet at samba.org>
> wrote:
> > Are you sure that the ACLs on all the items in the chain should
> > allow reading?
> 
> It's an excellent question, thank you - I'd like to just say
"Yes" but
> I will certainly check, as it's of course possible that my domain was
> misconfigured previously, and the change has in fact introduced
> correct behaviour..
> 
> Am I right in thinking that the objects I need to look at are
> - the group itself
> - all (some?) members of the group
> - any others?
> 
> Are permissions checked in a hiearchical fashion, i.e. if OU=myou does
> not allow a particular user to read it, then would
> CN=somegroup,OU=myou still be denied regardless of the explicit
> permissions on the CN=somegroup,OU=myou object? And I believe I'm
> correct in thinking that a user can be a member of a group, even
> though that user might not have permission to read the group
> themselves...?
> 
> Is there a programmatical way of viewing permissions on all these
> objects, or am I best manually going through with the 'ldifde'
> Windows tool (which I think is what I originally used to set the
> permissions in the first place)?
> 
> Many thanks
> 
> Jonathan
> 
samba-tool dsacl get --help

Rowland

On Wed, 2023-11-22 at 17:33 +0000, Jonathan Hunter
wrote:
> On Wed, 22 Nov 2023 at 01:03, Andrew Bartlett <
> abartlet at samba.org
> > wrote:
> > Are you sure that the ACLs on all the items in the chain should
> > allow reading?
> 
> It's an excellent question, thank you - I'd like to just say
"Yes"
> but
> I will certainly check, as it's of course possible that my domain was
> misconfigured previously, and the change has in fact introduced
> correct behaviour..
> 
> Am I right in thinking that the objects I need to look at are
> - the group itself
> - all (some?) members of the group
> - any others?
The full chain.
> Are permissions checked in a hiearchical fashion, i.e. if OU=myou
> does
> not allow a particular user to read it, then would
> CN=somegroup,OU=myou still be denied regardless of the explicit
> permissions on the CN=somegroup,OU=myou object?
That is what I am getting at.  The full chain must be checked. 
>  And I believe I'm
> correct in thinking that a user can be a member of a group, even
> though that user might not have permission to read the group
> themselves...?
They can be members, when Samba assigns group memberships it does as
'system' via other code, but reading them via this mechanism for an
unprivileged user won't work. 

Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions

(I meant 'ldp', of course, which is the graphical tool I used for
exploring and setting permissions - rather than 'ldifde'). I'm just
wondering if there is a commandline way to view permissions on objects
in the tree, ideally from samba / Linux but perhaps from Windows.

On Wed, 22 Nov 2023 at 17:33, Jonathan Hunter <jmhunter1 at gmail.com>
wrote:
>
> On Wed, 22 Nov 2023 at 01:03, Andrew Bartlett <abartlet at samba.org>
wrote:
> > Are you sure that the ACLs on all the items in the chain should allow
reading?
>
> It's an excellent question, thank you - I'd like to just say
"Yes" but
> I will certainly check, as it's of course possible that my domain was
> misconfigured previously, and the change has in fact introduced
> correct behaviour..
>
> Am I right in thinking that the objects I need to look at are
> - the group itself
> - all (some?) members of the group
> - any others?
>
> Are permissions checked in a hiearchical fashion, i.e. if OU=myou does
> not allow a particular user to read it, then would
> CN=somegroup,OU=myou still be denied regardless of the explicit
> permissions on the CN=somegroup,OU=myou object? And I believe I'm
> correct in thinking that a user can be a member of a group, even
> though that user might not have permission to read the group
> themselves...?
>
> Is there a programmatical way of viewing permissions on all these
> objects, or am I best manually going through with the 'ldifde'
> Windows tool (which I think is what I originally used to set the
> permissions in the first place)?
>
> Many thanks
>
> Jonathan
>
> --
> "If we knew what it was we were doing, it would not be called
> research, would it?"
>       - Albert Einstein


-- 
"If we knew what it was we were doing, it would not be called
research, would it?"
      - Albert Einstein