[Samba] Winbind local idmap/cache database security concerns

Andrew Bartlett abartlet at samba.org
Wed Jan 21 21:32:20 GMT 2004

On Thu, 2004-01-22 at 00:22, Shawn Iverson wrote:
> (Apologies to the list for the double posting...I was having email issues
> and wan't sure that my emails were even leaving my domain.)
> > From: Andrew Bartlett [mailto:abartlet at samba.org]
> > Sent: Tuesday, January 20, 2004 9:51 PM
> > You should never use pam_smb.  You should always use pam_winbind,
> > particularly as you are already using winbindd :-)
> Are there security problems with pam_smb?  

It never does the slightest thing to validate that it is talking to the
real domain controller.  Particularly if you set 'client schannel = yes'
in your smb.conf, you can be assured that you are talking to a real DC.

> I know that its only apparent
> function is to validate passwords on a Samba/NT server.  It lacks much of
> the functionality for which I am looking.
> > The idmap ldap backend is about ensuring a consistant UID mapping on
> > each machine, so things like NFS do not break.
> > 
> > > However, with the
> > > latter, all the features that winbind supports are lost 
> > since winbind is not
> > > running on the local machine (such as changing ones 
> > password) so I currently
> > > see no other way of implementing winbind.
> > 
> > Why are you not running winbind on each machine?  I'm a bit confused -
> > the idea is that you run winbindd on each client, so that they can
> > participate in the domain.
> Believe me, I have been quite confused myself!  I was originally led to
> believe that winbind belonged only on a server and that clients did not need
> it at all, that somehow they accessed the server for winbind support.  I
> have learned since that this is definitely not the case.
> > > What will keep a user from reading 
> > /var/cache/samba/winbind_cache.tdb and
> > > winbind_idmap.tdb?  I know that the owner is root and that 
> > the each has the
> > > permissions 0600 (idmap had 0644, but I changed it to 
> > 0600).  Despite that,
> > > isn't it easy enough for a user to crack the filesystem and 
> > gain access to
> > > these databases if so he/she wished?   
> > 
> > Indeed - but they could also run 'getent group' and 'getent passwd' -
> > it's much faster ;-).  This information is available to any 
> > user who is
> > in the domain.
> I found out that setting winbind enum users=no and winbind enum groups=no
> prevents getent from displaying domain information.  I am unsure of the
> potential consequences of turning off enumeration, though.

These are speed, not security hacks.  Winbindd will provide that
information anyway, and users can simply use other tools and their own
accounts to make the same queries.

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20040122/baae8cd0/attachment.bin

More information about the samba mailing list