[Samba] Samba 4 security

steve steve at steve-ss.com
Thu Dec 1 04:35:28 MST 2011 

On 01/12/11 00:37, Matthieu Patou wrote:
> Hello Steve,
> On 30/11/2011 19:52, steve wrote:
>> On 30/11/11 19:20, Matthieu Patou wrote:
>>> Hello,
>>>
>>>
>>>> Each subfolder of /home is username:users. A file which is 0755
>>>> steve:users can be deleted by anyone. Samba 4 does not prompt for a
>>>> username and password when entering any share. This is just a plain
>>>> install of:
>>> Where is the /home ? on the Samba 4 AD server ? mounted on the client ?
>>>
>>> How did you created the subfolders ?
>>>
>>>
>>> Can you give a detailed list of action to reproduce your problem ?
>>>
>>>
>>> Matthieu.
>>>
>>
>> I've tried both. In this example hh3 is the Samba server 192.168.1.3
>>
>> smb.conf has:
>>
>> [home]
>> path = /home
>> read only = no
>>
>> /home has 2 users /home folders. /home/steve and /home/lynn both owned
>> by their respective steve:users and lynn:users. Both users were
>> created before Samba 4 was installed. Linux does not allow file
>> creation nor deleting between the 2 folders.
>>
> Well this points me already something wrong in what you have done.
>
> Because its not because you have user steve and lynn in on the
> Linux/Unix side, your users created in the active directory will not be
> the same at all.
>
> Then I suspect konq to implicitly use your linux user as the default smb
> user and if the password match then you won't be prompted for a password.
>
> In order to be sure you'd better do the test with smbclient.
>
> For me smbclient didn't give me access if I don't put a password:
>
>
> smbclient -L //zeus
> Enter mat's password:
> Anonymous login successful
> Domain=[MATWS] OS=[Unix] Server=[Samba 4.0.0alpha18-DEVELOPERBUILD]
>
> Sharename Type Comment
> --------- ---- -------
> home Disk
> netlogon Disk
> sysvol Disk
> IPC$ IPC IPC Service
> zeus is an IPv6 address -- no workgroup available
>
> smbclient //zeus/home
> Enter mat's password:
>
>
>> so, on hh3:
>> login as steve
>>
>> on konq do
>>
>> smb://hh3
>>
>> click on the home folder
>>
>> enter the lynn folder
>>
>> create a file (it shouldn't allow you)
>> delete a different file (it shouldn't allow you)
>>
>> Now go over to anothersion client, 192.168.1.4
>> Login as someone different but not root.
>>
>> repeat above.
>>
>> The user on another physical box can also delete and create files in
>> either the lynn or steve home folders.
>>
> I suggest to make a trace with tcpdump in order to know which user konq
> is using to authenticate you against the samba 4 server.
>
> Apart from this you have to know the current file server for the Samba
> AD (called samba4 so far) use full NT acls that are usually stored in
> security.NTACL,
> in the extended attributes, when this information is not present it uses
> the the posix acls and posix rights and tries to translate them to their
> NT acls equivalent.
>
> It seems that here you have found a bug in the way the translation is done.
>
>
> Matthieu.
>
Hi

Using my setup:

smbclient -L //hh3 does not work. It sits there forever. Server: 
hh3.site, domain HH1. Linux users lynn and steve who are also Samba 4 
users. The Linux /home folders is /home/lynn and /home/steve

This does:
steve at hh3:~> smbclient -L hh3
Password for [HH1\steve]:

         Sharename       Type       Comment
         ---------       ----       -------
         netlogon        Disk
         sysvol          Disk
         test            Disk
         homes           Disk
         IPC$            IPC        IPC Service
REWRITE: list servers not implemented

then, confirming what happens in a GUI:

steve at hh3:~> smbclient //hh3/homes
Password for [HH1\steve]:
smb: \> ls
   .                                   D        0  Wed Nov 30 20:37:48 2011
   ..                                  D        0  Thu Dec  1 12:03:46 2011
   lynn                                D        0  Wed Nov 30 20:50:53 2011
   steve                               D        0  Thu Dec  1 12:17:20 2011

                 29284192 blocks of size 512. 9509912 blocks available
smb: \> cd lynn
smb: \lynn\> ls
   .                                   D        0  Wed Nov 30 20:50:53 2011
   ..                                  D        0  Wed Nov 30 20:37:48 2011
   d                                   D        0  Wed Nov 30 20:50:53 2011

                 29284192 blocks of size 512. 9509912 blocks available
smb: \lynn\> rmdir d
smb: \lynn\> ls
   .                                   D        0  Thu Dec  1 12:21:17 2011
   ..                                  D        0  Wed Nov 30 20:37:48 2011

                 29284192 blocks of size 512. 9509920 blocks available

smb: \lynn\> mkdir hello
smb: \lynn\> ls
   .                                   D        0  Thu Dec  1 12:25:22 2011
   ..                                  D        0  Wed Nov 30 20:37:48 2011
   hello                               D        0  Thu Dec  1 12:25:22 2011

                 29284192 blocks of size 512. 9509888 blocks available

It's the same using smbclient or konq.
Thanks.

Steve

More information about the samba mailing list