[Samba] Surprising/Unexpected result after deleting and re-adding a user on our Samba domain

Harry Jede walk2sun at arcor.de
Mon May 18 21:28:48 GMT 2009


Am Montag, 18. Mai 2009 22:12 schrieb William Marshall:
> I don't want to call this a security problem. Since it isn't a code
> exploit, but, many people might have this problem.
>
> The other day a user was removed from our SLES  samba-3.0.28-0.6
> domain due to inactivity, but he still needed his account, so I
> recreated it. I didn't try to restore the LDAP data, so he got a new
> SID, etc.
>
> I was amazed to find that once his userid was created, he was already
> (still) in the groups that he had been in before.
>
> It would be possible for you to delete a userid who is in Domain
> Admins, and then have someone else request that userid days or weeks
> later. That userid would probably be a member of the Domain Admins
> upon creation.
>
> After digging into what happened, as a Linux admin, this makes sense
> to me, but as a Windows admin, this "blows me away". I had assumed
> that SIDs were used in most places, but with a LDAP backend, group
> membership is stored by name, not by SID.
And in openlap there is an other group model. If you use this, instead 
of posix and sids, then there may be a (easy) solution.

- use DN based group entries
- use the nss_schema switch in libnss-ldap.conf
- use the refint overlay in slapd.conf, see "man slapo-refint"

If you now rename or delete an account, the account-DN is modified or 
deleted in all groups.


> In the smb.conf we are not using the smbldap-tools tools anymore and
> we have set:
>  ldapsam:editposix = yes
>  passdb backend = ldapsam:"ldap://127.0.0.1"
>
> A solution to this problem might be for Samba to remove a user from
> all the groups before the account it deleted. (I will probably code
> this into our account cleanup scripts)
>
> This also means renaming an ID would be more involved than I (given a
> windows background) had assumed. We don't do it, but I had assumed
> that an account  rename from usermanager would work.
>
> thanks,
> Bill Marshall

-- 

Gruss
	Harry Jede


More information about the samba mailing list