[Samba] Surprising/Unexpected result after deleting and re-adding a
user on our Samba domain
bmarsh at us.ibm.com
Mon May 18 20:12:47 GMT 2009
I don't want to call this a security problem. Since it isn't a code
exploit, but, many people might have this problem.
The other day a user was removed from our SLES samba-3.0.28-0.6 domain
due to inactivity, but he still needed his account, so I recreated it. I
didn't try to restore the LDAP data, so he got a new SID, etc.
I was amazed to find that once his userid was created, he was already
(still) in the groups that he had been in before.
It would be possible for you to delete a userid who is in Domain Admins,
and then have someone else request that userid days or weeks later. That
userid would probably be a member of the Domain Admins upon creation.
After digging into what happened, as a Linux admin, this makes sense to
me, but as a Windows admin, this "blows me away". I had assumed that SIDs
were used in most places, but with a LDAP backend, group membership is
stored by name, not by SID.
In the smb.conf we are not using the smbldap-tools tools anymore and we
ldapsam:editposix = yes
passdb backend = ldapsam:"ldap://127.0.0.1"
A solution to this problem might be for Samba to remove a user from all
the groups before the account it deleted. (I will probably code this into
our account cleanup scripts)
This also means renaming an ID would be more involved than I (given a
windows background) had assumed. We don't do it, but I had assumed that an
account rename from usermanager would work.
More information about the samba