[Samba] Samba 4 security
mat at samba.org
Wed Nov 30 16:37:36 MST 2011
On 30/11/2011 19:52, steve wrote:
> On 30/11/11 19:20, Matthieu Patou wrote:
>>> Each subfolder of /home is username:users. A file which is 0755
>>> steve:users can be deleted by anyone. Samba 4 does not prompt for a
>>> username and password when entering any share. This is just a plain
>>> install of:
>> Where is the /home ? on the Samba 4 AD server ? mounted on the client ?
>> How did you created the subfolders ?
>> Can you give a detailed list of action to reproduce your problem ?
> I've tried both. In this example hh3 is the Samba server 192.168.1.3
> smb.conf has:
> path = /home
> read only = no
> /home has 2 users /home folders. /home/steve and /home/lynn both owned
> by their respective steve:users and lynn:users. Both users were
> created before Samba 4 was installed. Linux does not allow file
> creation nor deleting between the 2 folders.
Well this points me already something wrong in what you have done.
Because its not because you have user steve and lynn in on the
Linux/Unix side, your users created in the active directory will not be
the same at all.
Then I suspect konq to implicitly use your linux user as the default smb
user and if the password match then you won't be prompted for a password.
In order to be sure you'd better do the test with smbclient.
For me smbclient didn't give me access if I don't put a password:
smbclient -L //zeus
Enter mat's password:
Anonymous login successful
Domain=[MATWS] OS=[Unix] Server=[Samba 4.0.0alpha18-DEVELOPERBUILD]
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service
zeus is an IPv6 address -- no workgroup available
Enter mat's password:
> so, on hh3:
> login as steve
> on konq do
> click on the home folder
> enter the lynn folder
> create a file (it shouldn't allow you)
> delete a different file (it shouldn't allow you)
> Now go over to another client, 192.168.1.4
> Login as someone different but not root.
> repeat above.
> The user on another physical box can also delete and create files in
> either the lynn or steve home folders.
I suggest to make a trace with tcpdump in order to know which user konq
is using to authenticate you against the samba 4 server.
Apart from this you have to know the current file server for the Samba
AD (called samba4 so far) use full NT acls that are usually stored in
in the extended attributes, when this information is not present it uses
the the posix acls and posix rights and tries to translate them to their
NT acls equivalent.
It seems that here you have found a bug in the way the translation is done.
More information about the samba