[Samba] BDC returning wrong Domain Group membership ?
Peter Rindfuss
rindfuss at wzb.eu
Tue Aug 12 16:18:53 GMT 2008
Hi all,
I have just noticed the following situation:
Our NT4-style domain users are often (not always) seen by Windows XP as
members of
Domain Users and
Domain Guests and
Domain Admins and
Domain Computers
although they are definitely only members of "Domain Users". This gives
us a security problem as "Domain Admins" become local Administrators.
They are no real "Domain Admins", i.e. there is no problem for the
domain functions.
Our environment is:
Samba 3.0.24 PDC (Suse Linux 10.0) [cannot upgrade at the moment}
Samba 3.2.1 BDC (Suse Linux 10.3)
Win XP Pro SP3 clients
Database on PDC and BDC is OpenLDAP (replication on BDC).
I could track this down to the following: If I turn off Samba on the
BDC, everything (after logoff/logon) is ok. Analyses with "Wireshark"
and "Process Monitor" show that only if a client retrieves information
from the BDC, things go wrong.
N.B. The same problem existed when the BDC was at Samba 3.026a.
Thanks in advance for ideas and help
Peter Rindfuss
More information about the samba
mailing list