[Samba] admin users security implications

David Disseldorp ddiss at sgi.com
Tue Aug 28 01:34:59 GMT 2007


Hi,

MMC shares permission configuration is required by an AD administrator.

I would like to add the admin users parameter to the Samba 3.0.24 server
to provide this functionality, however I have some security concerns:

Would it be possible for a connected user to fake the SID of an Administrator,
and hence gain root access to the share?

Does adding the admin users entry in the [globals] section differ in any way
from manually adding it under each share?

Cheers, Dave

[global]
        workgroup = ADDOMAIN
        printcap name = /dev/null
        cups options = raw
        map to guest = Bad User
        include = /etc/samba/dhcp.conf
        logon path = \\%L\profiles\.msprofile
        logon home = \\%L\%U\.9xprofile
        logon drive = P:
        usershare allow guests = true
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        use sendfile = true
        max xmit = 65535
        strict locking = false
        strict sync = true
        add user script = /usr/sbin/useradd -s /bin/false %u
        delete user script = /usr/sbin/userdel %u
        server string =
        realm = ADDOMAIN.HERE.COM
        security = ADS
        winbind separator = +
        winbind enum groups = true
        winbind enum users = true
        wins server = 192.168.4.77
        client schannel = no
        admin users = ADDOMAIN+administrator
[homes]
        comment = Home Directories
        valid users = %S, %D%w%S
        browseable = false
        read only = false
        inherit acls = true
[scratch]
        path = /mnt/scratch
        comment = scratch
        writeable = true
        guest ok = true
        sync always = false
        follow symlinks = true
        wide links = true
...


More information about the samba mailing list