[Samba] Winbind local idmap/cache database security concerns

Andrew Bartlett abartlet at samba.org
Wed Jan 21 02:51:06 GMT 2004

On Wed, 2004-01-21 at 02:24, Shawn Iverson wrote:
> I am currently working on implementing unified logons between linux and win
> computers on an NT4 domain.  I have a samba test server with winbind working
> properly.  All is going well, except that I am concerned about the winbind
> idmap database stored on the local linux workstations.  My current
> understanding of winbind is that it must be on every machine, unless an
> winbind samba ldap backend/pam_smb combination is used.  

You should never use pam_smb.  You should always use pam_winbind,
particularly as you are already using winbindd :-)

The idmap ldap backend is about ensuring a consistant UID mapping on
each machine, so things like NFS do not break.

> However, with the
> latter, all the features that winbind supports are lost since winbind is not
> running on the local machine (such as changing ones password) so I currently
> see no other way of implementing winbind.

Why are you not running winbind on each machine?  I'm a bit confused -
the idea is that you run winbindd on each client, so that they can
participate in the domain.

> What will keep a user from reading /var/cache/samba/winbind_cache.tdb and
> winbind_idmap.tdb?  I know that the owner is root and that the each has the
> permissions 0600 (idmap had 0644, but I changed it to 0600).  Despite that,
> isn't it easy enough for a user to crack the filesystem and gain access to
> these databases if so he/she wished?   

Indeed - but they could also run 'getent group' and 'getent passwd' -
it's much faster ;-).  This information is available to any user who is
in the domain.

> I am especially concerned about this
> because the cache and idmap contain information on what users and groups
> exist on the network and who belongs to what group.  Is this not a potential
> security concern?  For example, if a user gained access to these databases,
> they could identify all domain administrator accounts, correct?
> Perhaps there is a way to implement winbind so as to not have the cache and
> idmaps stored locally and still retain winbind's functionality.  If anyone
> knows how I would be very interested.

I think you are looking for problems that don't exist.

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20040121/7c378d31/attachment.bin

More information about the samba mailing list