[Samba] Samba 4 security

Matthieu Patou mat at samba.org
Wed Nov 30 16:37:36 MST 2011 

Hello Steve,
On 30/11/2011 19:52, steve wrote:
> On 30/11/11 19:20, Matthieu Patou wrote:
>> Hello,
>>
>>
>>> Each subfolder of /home is username:users. A file which is 0755
>>> steve:users can be deleted by anyone. Samba 4 does not prompt for a
>>> username and password when entering any share. This is just a plain
>>> install of:
>> Where is the /home ? on the Samba 4 AD server ? mounted on the client ?
>>
>> How did you created the subfolders ?
>>
>>
>> Can you give a detailed list of action to reproduce your problem ?
>>
>>
>> Matthieu.
>>
>
> I've tried both. In this example hh3 is the Samba server 192.168.1.3
>
> smb.conf has:
>
> [home]
> path = /home
> read only = no
>
> /home has 2 users /home folders. /home/steve and /home/lynn both owned 
> by their respective steve:users and lynn:users. Both users were 
> created before Samba 4 was installed. Linux does not allow file 
> creation nor deleting between the 2 folders.
>
Well this points me already something wrong in what you have done.

Because its not because you have user steve and lynn in on the 
Linux/Unix side, your users created in the active directory will not be 
the same at all.

Then I suspect konq to implicitly use your linux user as the default smb 
user and if the password match then you won't be prompted for a password.

In order to be sure you'd better do the test with smbclient.

For me smbclient didn't give me access if I don't put a password:


  smbclient -L //zeus
Enter mat's password:
Anonymous login successful
Domain=[MATWS] OS=[Unix] Server=[Samba 4.0.0alpha18-DEVELOPERBUILD]

     Sharename       Type      Comment
     ---------       ----      -------
     home            Disk
     netlogon        Disk
     sysvol          Disk
     IPC$            IPC       IPC Service
zeus is an IPv6 address -- no workgroup available

smbclient  //zeus/home
Enter mat's password:


> so, on hh3:
> login as steve
>
> on konq do
>
> smb://hh3
>
> click on the home folder
>
> enter the lynn folder
>
> create a file (it shouldn't allow you)
> delete a different file (it shouldn't allow you)
>
> Now go over to another client, 192.168.1.4
> Login as someone different but not root.
>
> repeat above.
>
> The user on another physical box can also delete and create files in 
> either the lynn or steve home folders.
>
I suggest to make a trace with tcpdump in order to know which user konq 
is using to authenticate you against the samba 4 server.

Apart from this you have to know the current file server for the Samba 
AD (called samba4 so far) use full NT acls that are usually stored in 
security.NTACL,
in the extended attributes, when this information is not present it uses 
the the posix acls and posix rights and tries to translate them to their 
NT acls equivalent.

It seems that here you have found a bug in the way the translation is done.


Matthieu.

-- 
Matthieu Patou
Samba Team
http://samba.org

More information about the samba mailing list