Hi Andrew: Here is the logic for returning deleted and/or recycled state:
1. dirSyn per-object security mode 2. parent does not allow visibility 3. Object is deleted or recycled 4. Deleted or recycled attribute has changed since last sync If LDAP_DIRSYNC_OBJECT_SECURITY is specified and all conditions above are true and caller has asked for deleted and/or recycled, just return the state of the object. The wording in the MS-ADTS for LDAP_DIRSYNC_OBJECT_SECURITY can also be made clearer. I'll file a TDI to include above logic as well as clean up the existing wording. But before that, I want to know if the information above resolves your issue? Regards, Obaid Farooqi Escalation Engineer | Microsoft From: Andrew Bartlett <abart...@samba.org> Sent: Sunday, October 29, 2023 1:29 PM To: Obaid Farooqi <oba...@microsoft.com> Cc: cifs-protocol mailing list <cifs-protocol@lists.samba.org>; Microsoft Support <supportm...@microsoft.com> Subject: [EXTERNAL] Re: DirSync ACLs and Deleted Objects - TrackingID#2310230040015878 Do you mean "whether an object is returned or not"? Yes. To expand further: In DirSync as described the behaviour is that a deleted object only returns the GUID and deletion state. What I mean by a filter attack is that because not all Deleted objects are returned, only those that match the filter, we can work out if the object matched the filter by noting if it was returned (just a GUID and deletion state), or not (no object returned). What I'm getting at is that it appears that the object ACLs, including list children, ACLs, are applied for other objects - we don't have an information leak for 'live' objects. But that isn't documented. And there seems to be some special codepath (required to keep this protocol plausibly working) for Deleted objects, either for all deleted objects or a specific exemption for the CN=Deleted Objects SD. Thanks so much for your assistance! Andrew Bartlett On Fri, 2023-10-27 at 19:29 +0000, Obaid Farooqi wrote: Hi Andrew: I'll help you with this issue. I need a little clarification. I did not understand what you have in the following sentence between dashes: "They are stripped of most information, but a filter attack (eg search for CN=a*) can be used to discover the values - an object is returned nor not - showing that the objects are readable in that context." Do you mean "whether an object is returned or not"? Regards, Obaid Farooqi Escalation Engineer | Microsoft -----Original Message----- From: Obaid Farooqi Sent: Monday, October 23, 2023 5:18 PM To: Andrew Bartlett < <mailto:abart...@samba.org> abart...@samba.org<mailto:abart...@samba.org> > Cc: cifs-protocol mailing list < <mailto:cifs-protocol@lists.samba.org> cifs-protocol@lists.samba.org<mailto:cifs-protocol@lists.samba.org> >; Microsoft Support < <mailto:supportm...@microsoft.com> supportm...@microsoft.com<mailto:supportm...@microsoft.com> > Subject: DirSync ACLs and Deleted Objects - TrackingID#2310230040015878 Hi Andrew: Thanks for contacting Microsoft. I have created a case to track this issue. A member of the open specifications team will be in touch soon. Regards, Obaid Farooqi Escalation Engineer | Microsoft -----Original Message----- From: Andrew Bartlett < <mailto:abart...@samba.org> abart...@samba.org<mailto:abart...@samba.org> > Sent: Monday, October 23, 2023 4:15 PM To: cifs-protocol mailing list < <mailto:cifs-protocol@lists.samba.org> cifs-protocol@lists.samba.org<mailto:cifs-protocol@lists.samba.org> >; Interoperability Documentation Help < <mailto:doch...@microsoft.com> doch...@microsoft.com<mailto:doch...@microsoft.com> > Subject: [EXTERNAL] DirSync ACLs and Deleted Objects Hi Dochelp, MS-ADTS 3.1.1.3.4.1.3 LDAP_SERVER_DIRSYNC_OID describes LDAP_DIRSYNC_OBJECT_SECURITY as: Windows Server 2003 operating system and later: If this flag is present, the client can only view objects and attributes that are otherwise accessible to the client. If this flag is not present, the server checks if the client has access rights to read the changes in the NC. Windows 2000 operating system: Not supported. However, there is an exception. Objects that are deleted are returned, despite the ACL on CN=Deleted objects. They are stripped of most information, but a filter attack (eg search for CN=a*) can be used to discover the values - an object is returned nor not - showing that the objects are readable in that context. MSRC has just closed my case (82978) as it was determined this issue doesn't cross any MSRC recognized security boundaries. However, neither is this documented. There is nothing in the above reference nor in MS-DRSR 5.115.3 ProcessDirSyncSearchRequest that explains how ACLs are applied to DirSync in the normal case, nor the apparent exception for CN=Deleted Objects. The reason I say 'apparent exception' is that, if the ACL that blocks 'list children' on CN=Deleted Objects were honoured, then: bin/ldbsearch -H ldap://192.168.122.230 -Uandrew%password ou=spy2\* -- controls=dirsync:1:1:0 Can't load /usr/local/samba/etc/smb.conf - run testparm to debug it # record 1 dn: objectGUID: 0ae90a39-9fbe-4a77-8651-abefa1f1eace isDeleted: TRUE isRecycled: TRUE Should not be able to return anything, and shouldn't indicate that an object known previously as spy2 existed. >From testing, it appears that only this special DN is excluded - if we have an >object that is hidden because the parent denies 'List Children', then these >don't show up. So, if we are going to get our DirSync behaviour more >consistent, we would like to be sure of exactly what the rules are here. Thanks, Andrew Bartlett -- Andrew Bartlett (he/him) <https://samba.org/~abartlet/> https://samba.org/~abartlet/ Samba Team Member (since 2001) <https://samba.org/> https://samba.org/ Samba Team Lead <https://catalyst.net.nz/services/samba> https://catalyst.net.nz/services/samba Catalyst.Net Ltd Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company Samba Development and Support: <https://catalyst.net.nz/services/samba> https://catalyst.net.nz/services/samba Catalyst IT - Expert Open Source Solutions -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org<https://samba.org/> Samba Team Lead https://catalyst.net.nz/services/samba Catalyst.Net Ltd Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company Samba Development and Support: https://catalyst.net.nz/services/samba Catalyst IT - Expert Open Source Solutions
_______________________________________________ cifs-protocol mailing list cifs-protocol@lists.samba.org https://lists.samba.org/mailman/listinfo/cifs-protocol
