[Samba] Surprising/Unexpected result after deleting and re-adding a user on our Samba domain

William Marshall bmarsh at us.ibm.com
Mon May 18 20:12:47 GMT 2009

I don't want to call this a security problem. Since it isn't a code 
exploit, but, many people might have this problem.

The other day a user was removed from our SLES  samba-3.0.28-0.6 domain 
due to inactivity, but he still needed his account, so I recreated it. I 
didn't try to restore the LDAP data, so he got a new SID, etc. 

I was amazed to find that once his userid was created, he was already 
(still) in the groups that he had been in before.

It would be possible for you to delete a userid who is in Domain Admins, 
and then have someone else request that userid days or weeks later. That 
userid would probably be a member of the Domain Admins upon creation.

After digging into what happened, as a Linux admin, this makes sense to 
me, but as a Windows admin, this "blows me away". I had assumed that SIDs 
were used in most places, but with a LDAP backend, group membership is 
stored by name, not by SID.

In the smb.conf we are not using the smbldap-tools tools anymore and we 
have set:
 ldapsam:editposix = yes
 passdb backend = ldapsam:"ldap://"

A solution to this problem might be for Samba to remove a user from all 
the groups before the account it deleted. (I will probably code this into 
our account cleanup scripts)

This also means renaming an ID would be more involved than I (given a 
windows background) had assumed. We don't do it, but I had assumed that an 
account  rename from usermanager would work.

Bill Marshall

More information about the samba mailing list