Security model in samba-2

Marc Sherman marc at reston.ans.net
Thu Sep 3 13:08:57 GMT 1998


At 10:54 PM 9/3/98 +1000, you wrote:
>andrej,
>
>you have hit on exactly the right problem.  unless the unix system you are
>using supports the concept of "domains", namely that every process, file
>and other object has a "SID" attached to it (max 28 bytes or so)

Luke, not to quibble, but I calculate 40 bytes max for a "SID", does that
sound way off? Here's how I figure 40:

revision number = 1 byte
rid count = 1 byte
identifier authority = 6 bytes
8 max possible sub authorities = 32 bytes

..Marc

> instead
>of a 32 bit uid, then you cannot support multiple domains.
>
>in other words, you can't, unless you make the entire unix system running
>samba a "black box", and internally you treat the 32 bit uid as a vector
>table to look up a SID.
>
>jeremy knows what i'm talking about :-)
>
>On Thu, 3 Sep 1998, Andrej Borsenkow wrote:
>
>> I beg your pardon if it was already discussed, but I have not find
anything in list archive. 
>> 
>> Now, when SAMBA supports NT domain (verified :), there appear some
problems with user's identification. It applies, when SAMBA is in "domain"
security.
>> 
>> Assume, that samba server S is member of NT domain D1. Domain D1 has
trusted relationship with domain D2. User U\D1 (that is, use U on domain
D1) attempts to access server S. Suppose, that Unix user U exists.
>> 
>> As it now appears, SAMBA will (by default at least) map user U\D1 to
user U on S. It may or may not be what is wanted, but it is acceptable in
many cases. Both servers are in the same domain, and there are good
chances, that both users are the same.
>> 
>> Now user U\D2 (that is, user U from domain D2) attempts to acces SAMBA.
SAMBA will forward user's credential to domain controller of domain D1 wich
will *accept* them (trust between two domains). It means, that U\D2 will
end up mapped to U on S which is most probably totally wrong!!! It is
totally different user from totally different domain.
>> 
>> Note, that NT model has distinct user spaces for local NT system and for
every NT domain (actually, local system is treated as separate domain).
Local user 'bor' is totally different from domain user 'bor' which in turn
has nothing to do with user 'bor' from any other domain (exactly the case
we have here :))
>> 
>> The "correct" model as I see it is:
>> 
>>  - by default every Unix user is treated as local (in above sense); no
external user is mapped
>>    to local user by default
>> 
>>  - there should be configurable way to map NT user to local user based
on User+Domain.
>>    Much better case is to use RID's (is it correct) to uniquly identify
NT users. Probabaly, some
>>    utility to "add trusted user"? Access to shares should use the same
database (so, that
>>    I could say, that any domain, only some domain(s), only group(s) in
my domain or only
>>    specific user(s) may access share).
>> 
>>  - very nice is some way to do "reverse mapping". Assuming, that user
'bor' is declared the same
>>    as DOMAIN\bor, and tries to access server in DOMAIN with e.g.
smbclient, there is no
>>    need to provide password (well, if we agree to trust Unix
authorisation). Of course, 
>>    we need some sort of database where this information is stored.
>> 
>> And by the way, every member of goup "Domain Admins" can administer any
NT server in domain. Does it apply to SAMBA as well? 
>> 
>> thank you for your time
>> 
>> /Andrej
>> 
>> 
>
><a href="mailto:lkcl at samba.anu.edu.au" > Luke Kenneth Casson Leighton  </a>
><a href="http://mailhost.cb1.com/~lkcl"> Samba and Network Development </a>
><a href="http://www.samba.co.uk"       > Samba and Network Consultancy </a>
>
>



More information about the samba-technical mailing list