[Samba] Winbind local idmap/cache database security concerns
shawn at nccsc.k12.in.us
Wed Jan 21 13:22:20 GMT 2004
(Apologies to the list for the double posting...I was having email issues
and wan't sure that my emails were even leaving my domain.)
> From: Andrew Bartlett [mailto:abartlet at samba.org]
> Sent: Tuesday, January 20, 2004 9:51 PM
> You should never use pam_smb. You should always use pam_winbind,
> particularly as you are already using winbindd :-)
Are there security problems with pam_smb? I know that its only apparent
function is to validate passwords on a Samba/NT server. It lacks much of
the functionality for which I am looking.
> The idmap ldap backend is about ensuring a consistant UID mapping on
> each machine, so things like NFS do not break.
> > However, with the
> > latter, all the features that winbind supports are lost
> since winbind is not
> > running on the local machine (such as changing ones
> password) so I currently
> > see no other way of implementing winbind.
> Why are you not running winbind on each machine? I'm a bit confused -
> the idea is that you run winbindd on each client, so that they can
> participate in the domain.
Believe me, I have been quite confused myself! I was originally led to
believe that winbind belonged only on a server and that clients did not need
it at all, that somehow they accessed the server for winbind support. I
have learned since that this is definitely not the case.
> > What will keep a user from reading
> /var/cache/samba/winbind_cache.tdb and
> > winbind_idmap.tdb? I know that the owner is root and that
> the each has the
> > permissions 0600 (idmap had 0644, but I changed it to
> 0600). Despite that,
> > isn't it easy enough for a user to crack the filesystem and
> gain access to
> > these databases if so he/she wished?
> Indeed - but they could also run 'getent group' and 'getent passwd' -
> it's much faster ;-). This information is available to any
> user who is
> in the domain.
I found out that setting winbind enum users=no and winbind enum groups=no
prevents getent from displaying domain information. I am unsure of the
potential consequences of turning off enumeration, though.
More information about the samba