[Samba] admin users security implications
David Disseldorp
ddiss at sgi.com
Tue Aug 28 01:34:59 GMT 2007
Hi,
MMC shares permission configuration is required by an AD administrator.
I would like to add the admin users parameter to the Samba 3.0.24 server
to provide this functionality, however I have some security concerns:
Would it be possible for a connected user to fake the SID of an Administrator,
and hence gain root access to the share?
Does adding the admin users entry in the [globals] section differ in any way
from manually adding it under each share?
Cheers, Dave
[global]
workgroup = ADDOMAIN
printcap name = /dev/null
cups options = raw
map to guest = Bad User
include = /etc/samba/dhcp.conf
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
usershare allow guests = true
idmap uid = 10000-20000
idmap gid = 10000-20000
use sendfile = true
max xmit = 65535
strict locking = false
strict sync = true
add user script = /usr/sbin/useradd -s /bin/false %u
delete user script = /usr/sbin/userdel %u
server string =
realm = ADDOMAIN.HERE.COM
security = ADS
winbind separator = +
winbind enum groups = true
winbind enum users = true
wins server = 192.168.4.77
client schannel = no
admin users = ADDOMAIN+administrator
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = false
read only = false
inherit acls = true
[scratch]
path = /mnt/scratch
comment = scratch
writeable = true
guest ok = true
sync always = false
follow symlinks = true
wide links = true
...
More information about the samba
mailing list