[Samba] Security risk to adding users to "Domain Admin" group
Samba
Samba at rainbowschools.ca
Thu Dec 1 20:44:20 GMT 2005
Craig White <craigwhite at azapple.com> on Thursday, December 1, 2005 at 3:28 PM -0500 wrote:
>On Thu, 2005-12-01 at 15:10 -0500, Samba wrote:
>> Hi everyone.
>>
>> Could anyone tell me what would be the repercussion of adding all users to "Domain Admins" in a samba environment.
>The
>> reason I am asking is because we are getting a picker object error when trying to add "Domain Users" to the Local
>> Administrator group. Domain Admin gets added ok during join.
>----
>file security at all levels (local files/server based files).
>device security at all levels (local/server).
>password security at local level
>
>Seems to me that you should fix whatever isn't properly configured to
>solve your problem instead.
>
>from command line on samba server, what do you get when you run...
>
>net groupmap list # ?
>testparm -s # any errors?
>pdbedit -Lv Administrator # ?
>
>Craig
Here's the output of the following commands. Samba is currently running on Mac OS X (10.4.3). Samba version 3.0.10
You will notice that "Domain Admins" and "Domain Users" are missing a space between the names. That due to us getting a
picker error on with the space
on our test server and which was verified by Apple.
Thanks.
-- Dominique
--------
osx-webbwood:~ root# net groupmap list #
[2005/12/01 15:40:02, 0] /SourceCache/samba/samba-92.9/samba/source/param/loadparm.c:map_parameter(2465)
Unknown parameter encountered: "domain admins"
[2005/12/01 15:40:02, 0] /SourceCache/samba/samba-92.9/samba/source/param/loadparm.c:lp_do_parameter(3155)
Ignoring unknown parameter "domain admins"
[2005/12/01 15:40:02, 0] pdb_ods.c:odssam_setgrpwent(2734)
odssam_setgrpwent: update(0)
[2005/12/01 15:40:02, 0] pdb_ods.c:odssam_getgrpwent(2754)
odssam_getgrpwent: entriesAvailable(0) contextData(0x0)
[2005/12/01 15:40:02, 0] pdb_ods.c:odssam_getgrpwent(2766)
odssam_getgrpwent: entriesAvailable Take 2(33) contextData(0x321f50)
[2005/12/01 15:40:02, 0] pdb_ods.c:odssam_getgrpwent(2754)
odssam_getgrpwent: entriesAvailable(33) contextData(0x321f50)
[2005/12/01 15:40:02, 0] pdb_ods.c:odssam_getgrpwent(2766)
odssam_getgrpwent: entriesAvailable Take 2(15) contextData(0x312e30)
[2005/12/01 15:40:02, 0] pdb_ods.c:odssam_getgrpwent(2754)
odssam_getgrpwent: entriesAvailable(15) contextData(0x312e30)
[2005/12/01 15:40:03, 0] pdb_ods.c:odssam_getgrpwent(2766)
odssam_getgrpwent: entriesAvailable Take 2(8) contextData(0x0)
[2005/12/01 15:40:03, 0] pdb_ods.c:odssam_getgrpwent(2754)
odssam_getgrpwent: entriesAvailable(8) contextData(0x0)
Nobody (S-1-0-0) -> nobody
Domain Guests (S-1-5-21-871659489-3572045746-3147238601-514) -> nogroup
System Group (S-1-5-21-100) -> wheel
Local System (S-1-5-18) -> daemon
Kernel Memory (S-1-5-21-102) -> kmem
System (S-1-5-21-103) -> sys
Terminal (S-1-5-21-104) -> tty
System Operators (S-1-5-21-105) -> operator
SMTP Mail (S-1-5-21-106) -> mail
Binary (S-1-5-21-107) -> bin
domainadmins (S-1-5-21-871659489-3572045746-3147238601-512) -> staff
smmsp (S-1-5-21-125) -> smmsp
Print Operators (S-1-5-32-550) -> lp
SMTP Mail Access (S-1-5-21-127) -> postfix
SMTP Mail Posting (S-1-5-21-128) -> postdrop
guest (S-1-5-21-871659489-3572045746-3147238601-1063) -> guest
utmp (S-1-5-21-145) -> utmp
uucp (S-1-5-21-166) -> uucp
Dialup (S-1-5-1) -> dialer
Network Config Users (S-1-5-21-169) -> network
HTTP Users (S-1-5-21-170) -> www
MySQL Users (S-1-5-21-174) -> mysql
SSH Users (S-1-5-21-175) -> sshd
QuickTime Streaming (S-1-5-21-176) -> qtss
Mailing List (S-1-5-21-178) -> mailman
Application Server (S-1-5-21-179) -> appserverusr
Administrators (S-1-5-32-544) -> admin
App Server Admins (S-1-5-21-181) -> appserveradm
Guests (S-1-5-32-546) -> unknown
SPAM Assassin Group 2 (S-1-5-21-183) -> amavisd
appowner (S-1-5-21-871659489-3572045746-3147238601-1175) -> appowner
SPAM Assassin Group 1 (S-1-5-21-183) -> clamav
Chat Server Group (S-1-5-21-184) -> jabber
securityagent (S-1-5-21-871659489-3572045746-3147238601-1185) -> securityagent
tokend (S-1-5-21-871659489-3572045746-3147238601-1183) -> tokend
windowserver (S-1-5-21-871659489-3572045746-3147238601-1177) -> windowserver
xgridagent (S-1-5-21-871659489-3572045746-3147238601-1173) -> xgridagent
xgridcontroller (S-1-5-21-871659489-3572045746-3147238601-1171) -> xgridcontroller
Everyone (S-1-1-0) -> everyone
Authenticated Users (S-1-5-11) -> authedusers
Interactive (S-1-5-4) -> interactusers
Network (S-1-5-2) -> netusers
Terminal Server User (S-1-5-13) -> consoleusers
Creator Owner (S-1-3-0) -> owner
Creator Group (S-1-3-1) -> group
Accessibility Group (S-1-5-21-190) -> accessibility
administrator (S-1-5-21-871659489-3572045746-3147238601-2003) -> administrator
certusers (S-1-5-21-871659489-3572045746-3147238601-1059) -> certusers
admin (S-1-5-21-871659489-3572045746-3147238601-1161) -> admin
staff (S-1-5-21-871659489-3572045746-3147238601-1041) -> staff
Teachers (S-1-5-21-871659489-3572045746-3147238601-3061) -> teachers
Teacher Administrators (S-1-5-21-871659489-3572045746-3147238601-3063) -> teacheradministrators
Students (S-1-5-21-871659489-3572045746-3147238601-3065) -> students
School Administrators (S-1-5-21-871659489-3572045746-3147238601-3067) -> schooladministrators
DomainUsers (S-1-5-21-871659489-3572045746-3147238601-513) -> domainusers
DomainAdmins (S-1-5-21-871659489-3572045746-3147238601-512) -> domainadmins
osx-webbwood:~ root#
----------------
osx-webbwood:~ root# testparm -s #
Load smb config files from /private/etc/smb.conf
Unknown parameter encountered: "domain admins"
Ignoring unknown parameter "domain admins"
Processing section "[Hand_In]"
Processing section "[Hand_Out]"
Processing section "[Teacher-Homes]"
Processing section "[Work_Folder]"
Processing section "[homes]"
Processing section "[profiles]"
Processing section "[printers]"
Processing section "[Student_Files]"
Processing section "[Student-Homes]"
Processing section "[netlogon]"
Processing section "[Users]"
Processing section "[Programs]"
Processing section "[Teacher_Files]"
Processing section "[Utility]"
Loaded services file OK.
WARNING: You have some share names that are longer than 12 characters.
These may not be accessible to some older clients.
(Eg. Windows9x, WindowsMe, and smbclient prior to Samba 3.0.)
Invalid combination of parameters for service Hand_In. Level II oplocks can only be set if
oplocks are also set.
Invalid combination of parameters for service Hand_Out. Level II oplocks can only be set if
oplocks are also set.
Invalid combination of parameters for service Teacher-Homes. Level II oplocks can only be set if
oplocks are also set.
Invalid combination of parameters for service Work_Folder. Level II oplocks can only be set if
oplocks are also set.
Invalid combination of parameters for service homes. Level II oplocks can only be set if
oplocks are also set.
Invalid combination of parameters for service printers. Level II oplocks can only be set if
oplocks are also set.
Invalid combination of parameters for service Student_Files. Level II oplocks can only be set if
oplocks are also set.
Invalid combination of parameters for service Student-Homes. Level II oplocks can only be set if
oplocks are also set.
Invalid combination of parameters for service Users. Level II oplocks can only be set if
oplocks are also set.
Invalid combination of parameters for service Programs. Level II oplocks can only be set if
oplocks are also set.
Invalid combination of parameters for service Teacher_Files. Level II oplocks can only be set if
oplocks are also set.
Invalid combination of parameters for service Utility. Level II oplocks can only be set if
oplocks are also set.
# Global parameters
[global]
dos charset = CP437
unix charset = UTF-8-MAC
display charset = UTF-8-MAC
workgroup = WEBBWOOD
netbios name = WEBBWOODOSX
server string = osx.webbwood
auth methods = guest, opendirectory
allow trusted domains = No
map to guest = Bad User
passdb backend = opendirectorysam, guest
guest account = unknown
log level = 2
defer sharing violations = No
deadtime = 5
add user script = /usr/bin/opendirectorypdbconfig -c create_user_account -r %u -n "/LDAPv3/127.0.0.1"
add machine script = /usr/bin/opendirectorypdbconfig -c create_computer_account -r %u -n "/LDAPv3/127.0.0.1"
logon path = \\%N\profiles\%u
logon drive = H:
domain logons = Yes
preferred master = Yes
domain master = Yes
wins support = Yes
lock directory = /var/db/samba
brlm = Yes
printer admin = @admin, @staff
vfs objects = darwin_acls
[Hand_In]
comment = macosx
path = /Shared Items/Hand_In
read only = No
create mask = 0644
guest ok = Yes
map archive = No
[Hand_Out]
comment = macosx
path = /Shared Items/Hand_Out
read only = No
create mask = 0644
guest ok = Yes
map archive = No
[Teacher-Homes]
comment = macosx
path = /Volumes/Homes/Teacher-Homes
read only = No
create mask = 0644
guest ok = Yes
map archive = No
[Work_Folder]
comment = macosx
path = /Shared Items/Work_Folder
read only = No
create mask = 0644
guest ok = Yes
map archive = No
[homes]
comment = User Home Directories
read only = No
create mask = 0750
browseable = No
root preexec = /usr/sbin/inituser %U
[profiles]
path = /Users/Profiles
read only = No
browseable = No
oplocks = Yes
strict locking = No
[printers]
path = /tmp
printable = Yes
browseable = No
[Student_Files]
comment = macosx
path = /Shared Items/Student_Files
read only = No
create mask = 0644
guest ok = Yes
map archive = No
[Student-Homes]
comment = macosx
path = /Volumes/Homes/Student-Homes
read only = No
create mask = 0644
guest ok = Yes
map archive = No
[netlogon]
path = /etc/netlogon
write list = @admin
browseable = No
oplocks = Yes
strict locking = No
[Users]
comment = macosx
path = /Users
read only = No
create mask = 0644
guest ok = Yes
map archive = No
[Programs]
comment = macosx
path = /Shared Items/Programs
read only = No
create mask = 0644
guest ok = Yes
map archive = No
[Teacher_Files]
comment = macosx
path = /Shared Items/Teacher_Files
read only = No
create mask = 0644
guest ok = Yes
map archive = No
[Utility]
comment = macosx
path = /Shared Items/Utility
read only = No
create mask = 0644
guest ok = Yes
map archive = No
osx-webbwood:~ root#
-------------------
osx-webbwood:~ root# pdbedit -Lv Administrator #
Unknown parameter encountered: "domain admins"
Ignoring unknown parameter "domain admins"
No builtin backend found, trying to load plugin
Module '/usr/lib/samba/pdb/opendirectorysam.so' loaded
Unix username: administrator
NT username: Administrator
Account Flags: [U ]
User SID: S-1-5-21-871659489-3572045746-3147238601-2002
Primary Group SID: S-1-5-21-871659489-3572045746-3147238601-513
Full Name: Administrator
Home Directory: \\webbwoodosx\administrator
HomeDir Drive: H:
Logon Script:
Profile Path: \\webbwoodosx\profiles\administrator
Domain: WEBBWOOD
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: Mon, 18 Jan 2038 22:14:07 UTC
Kickoff time: Mon, 18 Jan 2038 22:14:07 UTC
Password last set: 0
Password can change: 0
Password must change: Mon, 18 Jan 2038 22:14:07 UTC
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
osx-webbwood:~ root#
--------
More information about the samba
mailing list