need to re-evaluate enumerating users

Simo Sorce idra at samba.org
Thu Nov 10 17:00:06 GMT 2005 

On Thu, 2005-11-10 at 09:56 -0600, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Jeremy & Volker,
> 
> Yeah. So Volker's right.  There is really no way to enumerate
> users in a trusted AD domain without kerberos.
> 
> This is an example of a child domain enumerating users just
> like the NT4 BDC in the mixed mode domain does.
> 
> Here spud.ad.plainjoe.org is the trusted parent domain
> and FRUIT\Administrator is from the moxed mode child domain.
> I get the same results from the object picker on the
> NT4 BDC.
> 
> $ bin/rpcclient spud.ad.plainjoe.org -U'FRUIT\Administrator' \
> - -c 'querydispinfo' -s /dev/null | wc -l
> 8
> 
> Just does not work.  There are a lot more accounts enumerated
> when I connect as the domain admin.
> 
> $ bin/rpcclient spud.ad.plainjoe.org -U'AD\Administrator' \
> - -c 'querydispinfo' -s /dev/null | wc -l
> 201
> 
> So here's what we can do.
> 
> * use the "right" methods when talking to our own domain.
> * use the "right" methods when talking to a DC running
> ~  AD (due to the tigher coupling between the winbindd_domain
> ~  structure and the actual cli_state connection).
> * Use the ADS methods when talking to a trusted AD domain
> ~  on a Samba DC (by generating a kerberos ticket).
> 
> What we cannot do:
> 
> * Fix enumerating users and groups when we have to fallback
> ~  to RPC
> 
> Solution proposal:
> 
> * Reinstate the netsamlogon cache with the following changes
> ~  (a) cache the PAC info as werll as NTLM net_user_info_3
> ~  (b) expire the cache when the SMB session goes away
> 
> This will solve the problem of user's being able to connect
> to the Samba box.  This will not solve the 'chown <domain user>
> file' problem.
> 
> Another possibility is to store a --set-auth-user on a per
> trusted domain basis.
> 
> So the problem really boils down to a Samba machine in
> 'security = domain' and talking to a trusted AD domain.
> Everything else we can work with I think.

Any chance there is a policy or registry hack to be set on the trusted
domain to allow samba to enumerate the users via RPC ?

Simo.

-- 
Simo Sorce    -  idra at samba.org
Samba Team    -  http://www.samba.org
Italian Site  -  http://samba.xsec.it

More information about the samba-technical mailing list