[Samba] Surprising/Unexpected result after deleting and re-adding a user on our Samba domain

simo idra at samba.org
Mon May 18 20:20:28 GMT 2009


On Mon, 2009-05-18 at 15:12 -0500, William Marshall wrote:
> I don't want to call this a security problem. Since it isn't a code 
> exploit, but, many people might have this problem.
> 
> The other day a user was removed from our SLES  samba-3.0.28-0.6 domain 
> due to inactivity, but he still needed his account, so I recreated it. I 
> didn't try to restore the LDAP data, so he got a new SID, etc. 
> 
> I was amazed to find that once his userid was created, he was already 
> (still) in the groups that he had been in before.
> 
> It would be possible for you to delete a userid who is in Domain Admins, 
> and then have someone else request that userid days or weeks later. That 
> userid would probably be a member of the Domain Admins upon creation.

There is a good reason many security guides recommend never to reuse
userids or user/group uids :-)

> After digging into what happened, as a Linux admin, this makes sense to 
> me, but as a Windows admin, this "blows me away". I had assumed that SIDs 
> were used in most places, but with a LDAP backend, group membership is 
> stored by name, not by SID.

Unfortunately that's what rfc2307 provides, and even using rfc2307bis
wouldn't help as with the same userID you would come up with the same
DN.

> In the smb.conf we are not using the smbldap-tools tools anymore and we 
> have set:
>  ldapsam:editposix = yes
>  passdb backend = ldapsam:"ldap://127.0.0.1"
> 
> A solution to this problem might be for Samba to remove a user from all 
> the groups before the account it deleted. (I will probably code this into 
> our account cleanup scripts)

See below.

> This also means renaming an ID would be more involved than I (given a 
> windows background) had assumed. We don't do it, but I had assumed that an 
> account  rename from usermanager would work.

Yes, true, see: #6353 which is related, we need to enhance editposix to
handle group removals.

I will take this bug next w/e if nobody steps up before.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>



More information about the samba mailing list