smbd tries to read ~root/* files

Michael Tokarev mjt at
Thu Apr 13 19:56:18 UTC 2023

13.04.2023 22:37, Ralph Boehme via samba-technical wrote:
> On 4/13/23 20:56, Michael Tokarev via samba-technical wrote:
>> This might be, at the very least, quite unexpected, - once
>> there's something in root's configs, samba will do stuff not
>> configured in smb.conf?
> I start Samba, connect with smbclient, get the pid of the smbd session process with smbstatus and then run strace -v -p PID on that pid for a few 
> seconds.

I'm sorry for not providing the details initially.  I was busy
with another prob, all these observations (and many more) come
by the way there.

It is samba 4.17.7 (4.17.7-1~bpo11-1 debian package), configured
as a domain member (with the same version of samba acting as a
domain controller).  The client is a windows10 machine.  I don't
know if kerberos-related stuff is used without the domain part
(and this looks like kerberos stuff).

I can't say *when* exactly this file access happens, - since I
traced something else, and this was just background noise.  Here's
an example of the command received from the client:

recvmsg(33, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\0\0\7*", iov_len=4}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 4
recvmsg(33, {msg_name=NULL, msg_namelen=0, 
\0 \0\0\0\243\202\4\306a\202\4\3020\202\4\276\240\3\2\1\5\241\f\33\nTLS.MSK.RU\242\0270\25\240\3\2\1\2\241\0160\f\33\4"..., iov_len=1834}], 
msg_iovlen=1, msg_controllen=0, msg
_flags=0}, 0) = 1834

after which it becomes root and tries to open /root/.foo files.

There are other similar cases, always starting with similar
recvmsg.  I can provide more complete traces if needed.

> Please post your smb.conf and explain in a bit more detail how you're connecting and what your tracing.

Here's the smb.conf (as-is):

  server string = %h samba server %v
  netbios name = TSRV
  realm = TLS.MSK.RU
  workgroup = TLS
  server role = member server
  security = ADS

  idmap config TLS : backend = ad
  idmap config TLS : range = 1000-4999
  idmap config TLS : schema_mode = rfc2307
  idmap config TLS : unix_primary_group = yes
  template homedir = /home/%U
  template shell = /bin/bash
  idmap config * : backend = tdb
  idmap config * : range = 5000-5099
  winbind use default domain = yes

  kerberos method = secrets and keytab
  dedicated keytab file = /etc/krb5.keytab

  allow hosts =

  log file = /var/log/samba/log.%m
  max log size = 1000
  log level = 1
  logging = file

  # disable user shares (fix debian defaults idiocy)
  usershare max shares = 0

  load printers = no
  printing = bsd
  disable spoolss = yes

  map hidden = yes
  create mask = 0775
  directory mask = 0775
  acl allow execute always = true

  # unix ext and wide links are incompatible. we need wide links.
  unix extensions = no
  wide links = yes

  comment = Home Directories
  browseable = no
  writable = yes

  comment = TLS Workspace
  path = /ws/ws
  writable = yes

> Btw, there's also security at the next time you run into such a nice one... :)

I thought about using security@, but discarded this idea in this case,
it haven't looked like a security issue. But now after thinking a bit
more, it well might be, and needs at least some investigation.



More information about the samba-technical mailing list