Security model in samba-2

Andrej Borsenkow borsenkow.msk at sni.de
Wed Sep 2 16:33:34 GMT 1998 

I beg your pardon if it was already discussed, but I have not find anything in list archive. 

Now, when SAMBA supports NT domain (verified :), there appear some problems with user's identification. It applies, when SAMBA is in "domain" security.

Assume, that samba server S is member of NT domain D1. Domain D1 has trusted relationship with domain D2. User U\D1 (that is, use U on domain D1) attempts to access server S. Suppose, that Unix user U exists.

As it now appears, SAMBA will (by default at least) map user U\D1 to user U on S. It may or may not be what is wanted, but it is acceptable in many cases. Both servers are in the same domain, and there are good chances, that both users are the same.

Now user U\D2 (that is, user U from domain D2) attempts to acces SAMBA. SAMBA will forward user's credential to domain controller of domain D1 wich will *accept* them (trust between two domains). It means, that U\D2 will end up mapped to U on S which is most probably totally wrong!!! It is totally different user from totally different domain.

Note, that NT model has distinct user spaces for local NT system and for every NT domain (actually, local system is treated as separate domain). Local user 'bor' is totally different from domain user 'bor' which in turn has nothing to do with user 'bor' from any other domain (exactly the case we have here :))

The "correct" model as I see it is:

 - by default every Unix user is treated as local (in above sense); no external user is mapped
   to local user by default

 - there should be configurable way to map NT user to local user based on User+Domain.
   Much better case is to use RID's (is it correct) to uniquly identify NT users. Probabaly, some
   utility to "add trusted user"? Access to shares should use the same database (so, that
   I could say, that any domain, only some domain(s), only group(s) in my domain or only
   specific user(s) may access share).

 - very nice is some way to do "reverse mapping". Assuming, that user 'bor' is declared the same
   as DOMAIN\bor, and tries to access server in DOMAIN with e.g. smbclient, there is no
   need to provide password (well, if we agree to trust Unix authorisation). Of course, 
   we need some sort of database where this information is stored.

And by the way, every member of goup "Domain Admins" can administer any NT server in domain. Does it apply to SAMBA as well? 

thank you for your time

/Andrej

More information about the samba-technical mailing list