[Samba] BDC returning wrong Domain Group membership ?

Peter Rindfuss rindfuss at wzb.eu
Tue Aug 12 16:18:53 GMT 2008

Hi all,

I have just noticed the following situation:

Our NT4-style domain users are often (not always) seen by Windows XP as 
members of

Domain Users and
Domain Guests and
Domain Admins and
Domain Computers

although they are definitely only members of "Domain Users". This gives 
us a security problem as "Domain Admins" become local Administrators. 
They are no real "Domain Admins", i.e. there is no problem for the 
domain functions.

Our environment is:
Samba 3.0.24 PDC (Suse Linux 10.0) [cannot upgrade at the moment}
Samba 3.2.1  BDC (Suse Linux 10.3)
Win XP Pro SP3 clients
Database on PDC and BDC is OpenLDAP (replication on BDC).

I could track this down to the following: If I turn off Samba on the 
BDC, everything (after logoff/logon) is ok.  Analyses with "Wireshark" 
and "Process Monitor" show that only if a client retrieves information 
from the BDC, things go wrong.

N.B. The same problem existed when the BDC was at Samba 3.026a.

Thanks in advance for ideas and help
Peter Rindfuss

More information about the samba mailing list