[Samba] Winbind local idmap/cache database security concerns

Wed Jan 21 13:22:20 GMT 2004

(Apologies to the list for the double posting...I was having email issues
and wan't sure that my emails were even leaving my domain.)

> From: Andrew Bartlett [mailto:abartlet at samba.org]
> Sent: Tuesday, January 20, 2004 9:51 PM

> You should never use pam_smb.  You should always use pam_winbind,
> particularly as you are already using winbindd :-)

Are there security problems with pam_smb?  I know that its only apparent
function is to validate passwords on a Samba/NT server.  It lacks much of
the functionality for which I am looking.

> The idmap ldap backend is about ensuring a consistant UID mapping on
> each machine, so things like NFS do not break.
> 
> > However, with the
> > latter, all the features that winbind supports are lost 
> since winbind is not
> > running on the local machine (such as changing ones 
> password) so I currently
> > see no other way of implementing winbind.
> 
> Why are you not running winbind on each machine?  I'm a bit confused -
> the idea is that you run winbindd on each client, so that they can
> participate in the domain.

Believe me, I have been quite confused myself!  I was originally led to
believe that winbind belonged only on a server and that clients did not need
it at all, that somehow they accessed the server for winbind support.  I
have learned since that this is definitely not the case.

> > What will keep a user from reading 
> /var/cache/samba/winbind_cache.tdb and
> > winbind_idmap.tdb?  I know that the owner is root and that 
> the each has the
> > permissions 0600 (idmap had 0644, but I changed it to 
> 0600).  Despite that,
> > isn't it easy enough for a user to crack the filesystem and 
> gain access to
> > these databases if so he/she wished?   
> 
> Indeed - but they could also run 'getent group' and 'getent passwd' -
> it's much faster ;-).  This information is available to any 
> user who is
> in the domain.

I found out that setting winbind enum users=no and winbind enum groups=no
prevents getent from displaying domain information.  I am unsure of the
potential consequences of turning off enumeration, though.