[Samba] Surprising/Unexpected result after deleting and
re-adding a user on our Samba domain
simo
idra at samba.org
Mon May 18 20:20:28 GMT 2009
On Mon, 2009-05-18 at 15:12 -0500, William Marshall wrote:
> I don't want to call this a security problem. Since it isn't a code
> exploit, but, many people might have this problem.
>
> The other day a user was removed from our SLES samba-3.0.28-0.6 domain
> due to inactivity, but he still needed his account, so I recreated it. I
> didn't try to restore the LDAP data, so he got a new SID, etc.
>
> I was amazed to find that once his userid was created, he was already
> (still) in the groups that he had been in before.
>
> It would be possible for you to delete a userid who is in Domain Admins,
> and then have someone else request that userid days or weeks later. That
> userid would probably be a member of the Domain Admins upon creation.
There is a good reason many security guides recommend never to reuse
userids or user/group uids :-)
> After digging into what happened, as a Linux admin, this makes sense to
> me, but as a Windows admin, this "blows me away". I had assumed that SIDs
> were used in most places, but with a LDAP backend, group membership is
> stored by name, not by SID.
Unfortunately that's what rfc2307 provides, and even using rfc2307bis
wouldn't help as with the same userID you would come up with the same
DN.
> In the smb.conf we are not using the smbldap-tools tools anymore and we
> have set:
> ldapsam:editposix = yes
> passdb backend = ldapsam:"ldap://127.0.0.1"
>
> A solution to this problem might be for Samba to remove a user from all
> the groups before the account it deleted. (I will probably code this into
> our account cleanup scripts)
See below.
> This also means renaming an ID would be more involved than I (given a
> windows background) had assumed. We don't do it, but I had assumed that an
> account rename from usermanager would work.
Yes, true, see: #6353 which is related, we need to enhance editposix to
handle group removals.
I will take this bug next w/e if nobody steps up before.
Simo.
--
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>
More information about the samba
mailing list