need to re-evaluate enumerating users

Gerald (Jerry) Carter jerry at samba.org
Thu Nov 10 15:56:08 GMT 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jeremy & Volker,

Yeah. So Volker's right.  There is really no way to enumerate
users in a trusted AD domain without kerberos.

This is an example of a child domain enumerating users just
like the NT4 BDC in the mixed mode domain does.

Here spud.ad.plainjoe.org is the trusted parent domain
and FRUIT\Administrator is from the moxed mode child domain.
I get the same results from the object picker on the
NT4 BDC.

$ bin/rpcclient spud.ad.plainjoe.org -U'FRUIT\Administrator' \
- -c 'querydispinfo' -s /dev/null | wc -l
8

Just does not work.  There are a lot more accounts enumerated
when I connect as the domain admin.

$ bin/rpcclient spud.ad.plainjoe.org -U'AD\Administrator' \
- -c 'querydispinfo' -s /dev/null | wc -l
201

So here's what we can do.

* use the "right" methods when talking to our own domain.
* use the "right" methods when talking to a DC running
~  AD (due to the tigher coupling between the winbindd_domain
~  structure and the actual cli_state connection).
* Use the ADS methods when talking to a trusted AD domain
~  on a Samba DC (by generating a kerberos ticket).

What we cannot do:

* Fix enumerating users and groups when we have to fallback
~  to RPC

Solution proposal:

* Reinstate the netsamlogon cache with the following changes
~  (a) cache the PAC info as werll as NTLM net_user_info_3
~  (b) expire the cache when the SMB session goes away

This will solve the problem of user's being able to connect
to the Samba box.  This will not solve the 'chown <domain user>
file' problem.

Another possibility is to store a --set-auth-user on a per
trusted domain basis.

So the problem really boils down to a Samba machine in
'security = domain' and talking to a trusted AD domain.
Everything else we can work with I think.





cheers, jerry
=====================================================================
Alleviating the pain of Windows(tm)      ------- http://www.samba.org
GnuPG Key                ----- http://www.plainjoe.org/gpg_public.asc
"There's an anonymous coward in all of us."               --anonymous
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDc22YIR7qMdg1EfYRAkRbAKDreK3YUThjPq/JS0lisS6OWpAg8QCg3HKb
ZNld97mzd93cRZ6bTUrPYMM=
=BZtd
-----END PGP SIGNATURE-----


More information about the samba-technical mailing list