[Samba] Samba 4 security

Matthieu Patou mat at samba.org
Sat Dec 3 09:32:59 MST 2011


Steve
>>
>> Beware that on your machine where samba 4 DC is running file / folders
>> needs to have guid/uid of your AD users not your linux users.
>>

Did you read this ^.
>
> Did a git pull ./configure.developer make and make install about an 
> hour ago.
> And, well, something has changed. Now neither user can create nor 
> delete files!
>
> smbclient //hh3/homes
> Password for [HH1\steve]:
> smb: \> ls
>   .                                   D        0  Wed Nov 30 20:37:48 
> 2011
>   ..                                  D        0  Fri Dec  2 07:15:17 
> 2011
>   lynn                                D        0  Thu Dec  1 13:25:45 
> 2011
>   steve                               D        0  Fri Dec  2 11:50:09 
> 2011
>
>                 29284192 blocks of size 512. 10550432 blocks available
> smb: \> cd lynn
> smb: \lynn\> mkdir h
> NT_STATUS_ACCESS_DENIED making remote directory \lynn\h
> smb: \lynn\> cd ../steve
> smb: \steve\> mkdir h
> NT_STATUS_ACCESS_DENIED making remote directory \steve\h
> smb: \steve\>
>
> This has something to do with uid/gid no? But wait, both steve and 
> lynn _are_ AD users who just happen to have linux accounts.
>
No there is something that you missunderstand, the thing is that in 
order to do the file access control samba needs to know on the behalf of 
which uid/gid the access are done.
With series of samba 3.x you have different way of doing this mapping or 
to create unix users that have the same name as the user declared in 
Samba (either in the local sam or in the NT domain sam), but most of the 
time now it's winbind that is used. In Samba AD there is just the 
winbind solution as other solution didn't have a real interest in the 
context of an active directory domain.

So what winbind does ? it allocate a UID to users and GID to groups in a 
database it stores the association SID<->UID/GID and next time it is 
asked to translate the same SID to a UID/GID it will use the value in 
its database.

In your particular case, when you connect to the samba AD with smbclient 
as AD user steve and try to create a dir the server checks the 
security.NTACL extended attribute, as it didn't exists it knows that it 
will have to translate posix rights to NT ACLs. At this moment in order 
to know if you are the owner of the parent directory or in group of the 
parent directory it will ask its internal winbind to translate user's 
SID and the SID of user's groups to UID and GID, and it will turn out 
that the UID of unix user steve is not at all the UID of AD user steve 
(which is in the 3000000+ range), as other translated posix rights 
didn't give any write rights to the AD user the directory creation was 
not created.



> How do I change the gid/uid of my linux users to gid/uid AD users? Is 
> there a script? But that shouldn't matter no?
>
> Thinking you may want more info I'll leave it as it is for now. The 
> users are the same as they were before the new build. I did not delete 
> and recreate them.
Sure this is the expected behavior, before there was a bug in the posix 
to NT ACLs translation that granted the write right even if you had just 
the read and execute right you can have the detail by looking at this 
changeset: d1274f7f6236b47a1c6aa1737b054ed521d31b67

I don't really know your case but I think it's not such a problem at 
least so far nobody complained, on the DC you don't need to create unix 
account for the AD users. As you need to create directory for each user 
there is a couple of solution:

1) change the rights on the directory that is shared as "home" so that 
the group has a write right, then change group to be users (that's 
because we map the domain users group to the user unix group)
2) for each user connect using smbclient and create the directory of 
this user

or

For each user, use wbinfo -i <ad_user> and then create a folder for this 
user and use the uid obtained with wbinfo to set the owner of the directory.

For instance on my test server I have:

./bin/wbinfo -i steve
MATWS\steve:*:3000010:100::/home/MATWS/steve:/bin/false

Note: first you have to do a ./bin/wbinfo -u and beware the first time 
it is _slow_

Matthieu.

-- 
Matthieu Patou
Samba Team
http://samba.org



More information about the samba mailing list