[Samba] Domain admin privileges: a strange bug in Samba?

Miguel Medalha miguelmedalha at sapo.pt
Tue Aug 24 04:35:19 MDT 2010 

  I was in the process of setting up a new Samba 3.5.4 PDC with LDAP 
backend, over CentOS 5.5, when I came across a very strange behavior.

After executing the smbladp-populate script, I was trying to grant the 
needed privileges to the group "Domain Admins" in order no to use "root" 
to manage the Windows domain. After successfully granting rights to the 
"Admin" user, there was no way to make this user benefit from them. Even 
the command "net rpc rights list", if executed by -U Admin, always 
failed with the following result:

net rpc rights list Admin -U Admin

Enter Admin's password:
(I enter "Admin's password here")
Receiving SMB: Server stopped responding
Could not connect to server 127.0.0.1
Connection failed: NT_STATUS_END_OF_FILE

This was followed by a smb core dump.

The log then presents the following:

[2010/08/24 11:27:00.143535,  0] lib/fault.c:46(fault_report)
   ===============================================================
[2010/08/24 11:27:00.143824,  0] lib/fault.c:47(fault_report)
   INTERNAL ERROR: Signal 11 in pid 19667 (3.5.4)
   Please read the Trouble-Shooting section of the Samba3-HOWTO
[2010/08/24 11:27:00.143927,  0] lib/fault.c:49(fault_report)

   From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
[2010/08/24 11:27:00.144021,  0] lib/fault.c:50(fault_report)
   ===============================================================
[2010/08/24 11:27:00.144100,  0] lib/util.c:1465(smb_panic)
   PANIC (pid 19667): internal error
[2010/08/24 11:27:00.151658,  0] lib/util.c:1569(log_stack_trace)
   BACKTRACE: 26 stack frames:
    #0 smbd(log_stack_trace+0x1a) [0x2ae9fd7622c5]
    #1 smbd(smb_panic+0x55) [0x2ae9fd7623c9]
    #2 smbd [0x2ae9fd753101]
    #3 /lib64/libc.so.6 [0x2aea005cf2d0]
    #4 smbd(sid_compare+0x22) [0x2ae9fd75db54]
    #5 smbd(add_sid_to_array_unique+0x39) [0x2ae9fd75e189]
    #6 smbd(create_token_from_username+0xd37) [0x2ae9fd7b1eeb]
    #7 smbd(create_local_token+0x4e) [0x2ae9fd7b231e]
    #8 smbd [0x2ae9fd7b550d]
    #9 smbd [0x2ae9fd5b8097]
    #10 smbd(ntlmssp_update+0x270) [0x2ae9fd5b7c86]
    #11 smbd(auth_ntlmssp_update+0x17) [0x2ae9fd7b5215]
    #12 smbd [0x2ae9fd52be5e]
    #13 smbd(reply_sesssetup_and_X+0x191) [0x2ae9fd52c18f]
    #14 smbd [0x2ae9fd560eb1]
    #15 smbd [0x2ae9fd563b4e]
    #16 smbd [0x2ae9fd564341]
    #17 smbd(run_events+0x1d6) [0x2ae9fd7711f8]
    #18 smbd(smbd_process+0x97c) [0x2ae9fd56337d]
    #19 smbd [0x2ae9fda6f4ca]
    #20 smbd(run_events+0x1d6) [0x2ae9fd7711f8]
    #21 smbd [0x2ae9fd771467]
    #22 smbd(_tevent_loop_once+0x84) [0x2ae9fd7717e9]
    #23 smbd(main+0xf83) [0x2ae9fda6f1ff]
    #24 /lib64/libc.so.6(__libc_start_main+0xf4) [0x2aea005bc994]
    #25 smbd [0x2ae9fd4ea5a9]
[2010/08/24 11:27:00.159996,  0] lib/fault.c:326(dump_core)
   dumping core in /var/log/samba/cores/smbd


Only "root" could obtain a successful answer, even if I gave "Admin" the 
same password that "root" has.

After many efforts I was stuck. I even downgraded to Samba 3.4.8 with 
the same result.

I then raised the log level to 2.

Suddenly, the results came:

SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege

I consulted the Samba logs and noticed the following:

[2010/08/24 11:00:23.397276,  2] auth/auth.c:304(check_ntlm_password)
   check_ntlm_password:  authentication for user [Admin] -> [root] -> 
[root] succeeded
[2010/08/24 11:00:23.397973,  2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
   init_sam_from_ldap: Entry found for user: root

So, user Admin was being mapped to root, and this only worked if Admin 
had the same password as "root", as expected.

Since "username map = /etc/samba/smbusers" is the Samba default, I 
commented all the lines in /etc/samba/smbusers.

Now, the correct behavior was restored.

What is most strange here is that *the success of the connection depends 
on the log level being 2 or higher*. Everything less causes the 
connection to fail with the result:

Receiving SMB: Server stopped responding
Could not connect to server 127.0.0.1
Connection failed: NT_STATUS_END_OF_FILE


With all the lines commented out in /etc/samba/smbusers, privileges work 
as expected.

Thank you.

More information about the samba mailing list