[Samba] Samba 4 security

steve steve at steve-ss.com
Fri Dec 2 04:31:05 MST 2011


On 02/12/11 12:08, Matthieu Patou wrote:
> On 01/12/2011 12:35, steve wrote:
>> On 01/12/11 00:37, Matthieu Patou wrote:
>>> Hello Steve,
>>> On 30/11/2011 19:52, steve wrote:
>>>> On 30/11/11 19:20, Matthieu Patou wrote:
>>>>> Hello,
>>>>>
>>>>>
>>>>>> Each subfolder of /home is username:users. A file which is 0755
>>>>>> steve:users can be deleted by anyone. Samba 4 does not prompt for a
>>>>>> username and password when entering any share. This is just a plain
>>>>>> install of:
>>>>> Where is the /home ? on the Samba 4 AD server ? mounted on the
>>>>> client ?
>>>>>
>>>>> How did you created the subfolders ?
>>>>>
>>>>>
>>>>> Can you give a detailed list of action to reproduce your problem ?
>>>>>
>>>>>
>>>>> Matthieu.
>>>>>
>>>>
>>>> I've tried both. In this example hh3 is the Samba server 192.168.1.3
>>>>
>>>> smb.conf has:
>>>>
>>>> [home]
>>>> path = /home
>>>> read only = no
>>>>
>>>> /home has 2 users /home folders. /home/steve and /home/lynn both owned
>>>> by their respective steve:users and lynn:users. Both users were
>>>> created before Samba 4 was installed. Linux does not allow file
>>>> creation nor deleting between the 2 folders.
>>>>
>>> Well this points me already something wrong in what you have done.
>>>
>>> Because its not because you have user steve and lynn in on the
>>> Linux/Unix side, your users created in the active directory will not be
>>> the same at all.
>>>
>>> Then I suspect konq to implicitly use your linux user as the default smb
>>> user and if the password match then you won't be prompted for a
>>> password.
>>>
>>> In order to be sure you'd better do the test with smbclient.
>>>
>>> For me smbclient didn't give me access if I don't put a password:
>>>
>>>
>>> smbclient -L //zeus
>>> Enter mat's password:
>>> Anonymous login successful
>>> Domain=[MATWS] OS=[Unix] Server=[Samba 4.0.0alpha18-DEVELOPERBUILD]
>>>
>>> Sharename Type Comment
>>> --------- ---- -------
>>> home Disk
>>> netlogon Disk
>>> sysvol Disk
>>> IPC$ IPC IPC Service
>>> zeus is an IPv6 address -- no workgroup available
>>>
>>> smbclient //zeus/home
>>> Enter mat's password:
>>>
>>>
>>>> so, on hh3:
>>>> login as steve
>>>>
>>>> on konq do
>>>>
>>>> smb://hh3
>>>>
>>>> click on the home folder
>>>>
>>>> enter the lynn folder
>>>>
>>>> create a file (it shouldn't allow you)
>>>> delete a different file (it shouldn't allow you)
>>>>
>>>> Now go over to anothersion client, 192.168.1.4
>>>> Login as someone different but not root.
>>>>
>>>> repeat above.
>>>>
>>>> The user on another physical box can also delete and create files in
>>>> either the lynn or steve home folders.
>>>>
>>> I suggest to make a trace with tcpdump in order to know which user konq
>>> is using to authenticate you against the samba 4 server.
>>>
>>> Apart from this you have to know the current file server for the Samba
>>> AD (called samba4 so far) use full NT acls that are usually stored in
>>> security.NTACL,
>>> in the extended attributes, when this information is not present it uses
>>> the the posix acls and posix rights and tries to translate them to their
>>> NT acls equivalent.
>>>
>>> It seems that here you have found a bug in the way the translation is
>>> done.
>>>
>>>
>>> Matthieu.
>>>
>> Hi
>>
>> Using my setup:
>>
>> smbclient -L //hh3 does not work. It sits there forever. Server:
>> hh3.site, domain HH1. Linux users lynn and steve who are also Samba 4
>> users. The Linux /home folders is /home/lynn and /home/steve
>>
>> This does:
>> steve at hh3:~> smbclient -L hh3
>> Password for [HH1\steve]:
>>
>> Sharename Type Comment
>> --------- ---- -------
>> netlogon Disk
>> sysvol Disk
>> test Disk
>> homes Disk
>> IPC$ IPC IPC Service
>> REWRITE: list servers not implemented
>>
>> then, confirming what happens in a GUI:
>>
> So you are prompted for a password right ?
>
>> steve at hh3:~> smbclient //hh3/homes
>> Password for [HH1\steve]:
>> smb: \> ls
>> . D 0 Wed Nov 30 20:37:48 2011
>> .. D 0 Thu Dec 1 12:03:46 2011
>> lynn D 0 Wed Nov 30 20:50:53 2011
>> steve D 0 Thu Dec 1 12:17:20 2011
>>
>> 29284192 blocks of size 512. 9509912 blocks available
>> smb: \> cd lynn
>> smb: \lynn\> ls
>> . D 0 Wed Nov 30 20:50:53 2011
>> .. D 0 Wed Nov 30 20:37:48 2011
>> d D 0 Wed Nov 30 20:50:53 2011
>>
>> 29284192 blocks of size 512. 9509912 blocks available
>> smb: \lynn\> rmdir d
>> smb: \lynn\> ls
>> . D 0 Thu Dec 1 12:21:17 2011
>> .. D 0 Wed Nov 30 20:37:48 2011
>>
>> 29284192 blocks of size 512. 9509920 blocks available
>>
>> smb: \lynn\> mkdir hello
>> smb: \lynn\> ls
>> . D 0 Thu Dec 1 12:25:22 2011
>> .. D 0 Wed Nov 30 20:37:48 2011
>> hello D 0 Thu Dec 1 12:25:22 2011
>>
>> 29284192 blocks of size 512. 9509888 blocks available
>>
>> It's the same using smbclient or konq.
> Can you refresh, a change has been made to correct a bug.
>
> Beware that on your machine where samba 4 DC is running file / folders
> needs to have guid/uid of your AD users not your linux users.
>
> Matthieu.
>

Did a git pull ./configure.developer make and make install about an hour 
ago.
And, well, something has changed. Now neither user can create nor delete 
files!

smbclient //hh3/homes
Password for [HH1\steve]:
smb: \> ls
   .                                   D        0  Wed Nov 30 20:37:48 2011
   ..                                  D        0  Fri Dec  2 07:15:17 2011
   lynn                                D        0  Thu Dec  1 13:25:45 2011
   steve                               D        0  Fri Dec  2 11:50:09 2011

                 29284192 blocks of size 512. 10550432 blocks available
smb: \> cd lynn
smb: \lynn\> mkdir h
NT_STATUS_ACCESS_DENIED making remote directory \lynn\h
smb: \lynn\> cd ../steve
smb: \steve\> mkdir h
NT_STATUS_ACCESS_DENIED making remote directory \steve\h
smb: \steve\>

This has something to do with uid/gid no? But wait, both steve and lynn 
_are_ AD users who just happen to have linux accounts.

How do I change the gid/uid of my linux users to gid/uid AD users? Is 
there a script? But that shouldn't matter no?

Thinking you may want more info I'll leave it as it is for now. The 
users are the same as they were before the new build. I did not delete 
and recreate them.

Cheers and thanks for your patience.
Steve.


More information about the samba mailing list