[Samba] Samba and winbind with LDAP IDMAP backend - user connects with Domain Admin permissions

Stang, Sharol sls at hsa.co.merced.ca.us
Fri Aug 10 16:40:46 GMT 2007 

Hi,

 

Please Help! My normal users are able to gain access to all home
directories even though the group owner is Domain Admins. I have set the
permissions to 770 while testing and the group to Domain Admin on all
directories.

 

I have a Server2003 AD Domain with a clustered RHEL5 samba server for
the home directory. I am using samba 3.0.23 with Winbind and LDAP idmap
backend. This server is still in testing to replace a RH9 samba server.

 

Below I have listed the ID of three users. One is Domain Admin the
others are normal users. The logs show the users initially logging in
with Domain Admins rights! (GID 5004)  I tried creating another group
called DADMIN and changing the ownership to that and had the same
result! It user would connects initially as group DADMIN. 

 

 

id w11350

uid=5213(w11350) gid=5004(Domain Admins) groups=5004(Domain
Admins),5000(Domain Users),
5117(BUILTIN\administrators),5118(BUILTIN\users)  

 

ls -l |grep w11350

drwxrwx---  14 w11350     Domain Admins  4096 Aug  9 12:52 w11350

 

id w11664

uid=5598(w11664) gid=5000(Domain Users) groups=5000(Domain
Users,5118(BUILTIN\users)

 

ls -l |grep w11664

drwxrwx---   3 w11664     Domain Admins  4096 Aug  8 15:31 w11664

 

/var/log/samba/24001wk001.log

24001wk001 (x.151.18.23) signed connect to service users initially as
user w11664 (uid=5598, gid=5004) (pid 5802)

 

 

id w10828

uid=6007(w10828) gid=5000(Domain Users) groups=5000(Domain
Users),5118(BUILTIN\users)

 

ls -l |grep w10828

drwxrwx---  18 w10828     Domain Admins  4096 Jun 13 08:06 w10828

 

/var/log/samba/24001wk226.log

24001wk226 (x.151.19.7) signed connect to service users initially as
user w10828 (uid=6007, gid=5004) (pid 23707)

 

 

 

I edited out the company names, but here is the smb.conf

 

[global]

        workgroup = DOMAIN

        realm = COMPANY.COM

        netbios name = HSA-SMB

        server string = HSA-SMB

        interfaces = x.151.1.200

        bind interfaces only = Yes

        security = ADS

        client schannel = No

        password server = x.151.1.25 x.151.1.21

        username map = /etc/samba/smbusers

        log file = /var/log/samba/%m.log

        smb ports = 445

        name resolve order = host wins bcast

        server signing = auto

        client use spnego = Yes

        preferred master = No

        local master = No

        domain master = No

        ldap admin dn = CN=Manager,DC=company,DC=com

        ldap idmap suffix = ou=Idmap

        ldap suffix = DC=company,DC=com

        ldap ssl = no

        lock directory = /var/cache/samba/HSA-SMB

        pid directory = /var/run/samba/HSA-SMB

        idmap backend = ldap:ldap://x.151.1.102

        idmap uid = 5000-10000

        idmap gid = 5000-10000

        winbind cache time = 5

        winbind use default domain = Yes

        winbind nested groups = Yes

        winbind enum users = Yes

        winbind enum groups = Yes

 

 [users]

        comment = user's home directory

        path = /mnt/cluster/home/users

        force group = "Domain Admins"

        create mask = 0770

        directory mask = 0770

        browseable = No

        read only = No

 

Thank you so much for your help!

-sharol

More information about the samba mailing list