[Samba] Winbind local idmap/cache database security concerns

Andrew Bartlett abartlet at samba.org
Wed Jan 21 02:51:06 GMT 2004 

On Wed, 2004-01-21 at 02:24, Shawn Iverson wrote:
> I am currently working on implementing unified logons between linux and win
> computers on an NT4 domain.  I have a samba test server with winbind working
> properly.  All is going well, except that I am concerned about the winbind
> idmap database stored on the local linux workstations.  My current
> understanding of winbind is that it must be on every machine, unless an
> winbind samba ldap backend/pam_smb combination is used.  

You should never use pam_smb.  You should always use pam_winbind,
particularly as you are already using winbindd :-)

The idmap ldap backend is about ensuring a consistant UID mapping on
each machine, so things like NFS do not break.

> However, with the
> latter, all the features that winbind supports are lost since winbind is not
> running on the local machine (such as changing ones password) so I currently
> see no other way of implementing winbind.

Why are you not running winbind on each machine?  I'm a bit confused -
the idea is that you run winbindd on each client, so that they can
participate in the domain.

> What will keep a user from reading /var/cache/samba/winbind_cache.tdb and
> winbind_idmap.tdb?  I know that the owner is root and that the each has the
> permissions 0600 (idmap had 0644, but I changed it to 0600).  Despite that,
> isn't it easy enough for a user to crack the filesystem and gain access to
> these databases if so he/she wished?   

Indeed - but they could also run 'getent group' and 'getent passwd' -
it's much faster ;-).  This information is available to any user who is
in the domain.

> I am especially concerned about this
> because the cache and idmap contain information on what users and groups
> exist on the network and who belongs to what group.  Is this not a potential
> security concern?  For example, if a user gained access to these databases,
> they could identify all domain administrator accounts, correct?
> 
> Perhaps there is a way to implement winbind so as to not have the cache and
> idmaps stored locally and still retain winbind's functionality.  If anyone
> knows how I would be very interested.

I think you are looking for problems that don't exist.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20040121/7c378d31/attachment.bin

More information about the samba mailing list