[Samba] Samba 4 security

Matthieu Patou mat at samba.org
Fri Dec 2 04:08:51 MST 2011 

On 01/12/2011 12:35, steve wrote:
> On 01/12/11 00:37, Matthieu Patou wrote:
>> Hello Steve,
>> On 30/11/2011 19:52, steve wrote:
>>> On 30/11/11 19:20, Matthieu Patou wrote:
>>>> Hello,
>>>>
>>>>
>>>>> Each subfolder of /home is username:users. A file which is 0755
>>>>> steve:users can be deleted by anyone. Samba 4 does not prompt for a
>>>>> username and password when entering any share. This is just a plain
>>>>> install of:
>>>> Where is the /home ? on the Samba 4 AD server ? mounted on the 
>>>> client ?
>>>>
>>>> How did you created the subfolders ?
>>>>
>>>>
>>>> Can you give a detailed list of action to reproduce your problem ?
>>>>
>>>>
>>>> Matthieu.
>>>>
>>>
>>> I've tried both. In this example hh3 is the Samba server 192.168.1.3
>>>
>>> smb.conf has:
>>>
>>> [home]
>>> path = /home
>>> read only = no
>>>
>>> /home has 2 users /home folders. /home/steve and /home/lynn both owned
>>> by their respective steve:users and lynn:users. Both users were
>>> created before Samba 4 was installed. Linux does not allow file
>>> creation nor deleting between the 2 folders.
>>>
>> Well this points me already something wrong in what you have done.
>>
>> Because its not because you have user steve and lynn in on the
>> Linux/Unix side, your users created in the active directory will not be
>> the same at all.
>>
>> Then I suspect konq to implicitly use your linux user as the default smb
>> user and if the password match then you won't be prompted for a 
>> password.
>>
>> In order to be sure you'd better do the test with smbclient.
>>
>> For me smbclient didn't give me access if I don't put a password:
>>
>>
>> smbclient -L //zeus
>> Enter mat's password:
>> Anonymous login successful
>> Domain=[MATWS] OS=[Unix] Server=[Samba 4.0.0alpha18-DEVELOPERBUILD]
>>
>> Sharename Type Comment
>> --------- ---- -------
>> home Disk
>> netlogon Disk
>> sysvol Disk
>> IPC$ IPC IPC Service
>> zeus is an IPv6 address -- no workgroup available
>>
>> smbclient //zeus/home
>> Enter mat's password:
>>
>>
>>> so, on hh3:
>>> login as steve
>>>
>>> on konq do
>>>
>>> smb://hh3
>>>
>>> click on the home folder
>>>
>>> enter the lynn folder
>>>
>>> create a file (it shouldn't allow you)
>>> delete a different file (it shouldn't allow you)
>>>
>>> Now go over to anothersion client, 192.168.1.4
>>> Login as someone different but not root.
>>>
>>> repeat above.
>>>
>>> The user on another physical box can also delete and create files in
>>> either the lynn or steve home folders.
>>>
>> I suggest to make a trace with tcpdump in order to know which user konq
>> is using to authenticate you against the samba 4 server.
>>
>> Apart from this you have to know the current file server for the Samba
>> AD (called samba4 so far) use full NT acls that are usually stored in
>> security.NTACL,
>> in the extended attributes, when this information is not present it uses
>> the the posix acls and posix rights and tries to translate them to their
>> NT acls equivalent.
>>
>> It seems that here you have found a bug in the way the translation is 
>> done.
>>
>>
>> Matthieu.
>>
> Hi
>
> Using my setup:
>
> smbclient -L //hh3 does not work. It sits there forever. Server: 
> hh3.site, domain HH1. Linux users lynn and steve who are also Samba 4 
> users. The Linux /home folders is /home/lynn and /home/steve
>
> This does:
> steve at hh3:~> smbclient -L hh3
> Password for [HH1\steve]:
>
>         Sharename       Type       Comment
>         ---------       ----       -------
>         netlogon        Disk
>         sysvol          Disk
>         test            Disk
>         homes           Disk
>         IPC$            IPC        IPC Service
> REWRITE: list servers not implemented
>
> then, confirming what happens in a GUI:
>
So you are prompted for a password right ?

> steve at hh3:~> smbclient //hh3/homes
> Password for [HH1\steve]:
> smb: \> ls
>   .                                   D        0  Wed Nov 30 20:37:48 
> 2011
>   ..                                  D        0  Thu Dec  1 12:03:46 
> 2011
>   lynn                                D        0  Wed Nov 30 20:50:53 
> 2011
>   steve                               D        0  Thu Dec  1 12:17:20 
> 2011
>
>                 29284192 blocks of size 512. 9509912 blocks available
> smb: \> cd lynn
> smb: \lynn\> ls
>   .                                   D        0  Wed Nov 30 20:50:53 
> 2011
>   ..                                  D        0  Wed Nov 30 20:37:48 
> 2011
>   d                                   D        0  Wed Nov 30 20:50:53 
> 2011
>
>                 29284192 blocks of size 512. 9509912 blocks available
> smb: \lynn\> rmdir d
> smb: \lynn\> ls
>   .                                   D        0  Thu Dec  1 12:21:17 
> 2011
>   ..                                  D        0  Wed Nov 30 20:37:48 
> 2011
>
>                 29284192 blocks of size 512. 9509920 blocks available
>
> smb: \lynn\> mkdir hello
> smb: \lynn\> ls
>   .                                   D        0  Thu Dec  1 12:25:22 
> 2011
>   ..                                  D        0  Wed Nov 30 20:37:48 
> 2011
>   hello                               D        0  Thu Dec  1 12:25:22 
> 2011
>
>                 29284192 blocks of size 512. 9509888 blocks available
>
> It's the same using smbclient or konq.
Can you refresh, a change has been made to correct a bug.

Beware that on your machine where samba 4 DC is running file / folders 
needs to have guid/uid of your AD users not your linux users.

Matthieu.

-- 
Matthieu Patou
Samba Team
http://samba.org

More information about the samba mailing list