[Samba] Samba4 LDAP ACLs - access to POSIX attributes from a non-admin account

Andrew Bartlett abartlet at samba.org
Sun Dec 16 14:08:09 MST 2012 

On Fri, 2012-12-14 at 18:03 +0000, Rob McCorkell wrote:
> In our current testing environment, we are using nslcd to get user and 
> group information from the Samba4 LDAP server, using the last part of 
> objectSid as uidNumber. The configuration is designed to pull down 
> unixHomeDirectory and loginShell if they exist, but they default to 
> standard values if they do not. nslcd on each machine binds to LDAP 
> using a dedicated user account, nslcd-service, and the entire setup 
> works pretty well.
> 
> But now we have run into a problem - although both POSIX attributes 
> exists on a particular user (ismith in this case) they cannot be read by 
> the machine using nslcd-service to bind to the LDAP directory. After 
> further testing, we found that binding as Administrator makes the 
> attributes show up - in fact adding nslcd-service to 'Domain Admins' 
> group also lets it see those attributes. Unfortunately both of these 
> options are a huge security risk - any server that becomes compromised 
> can effectively take control of the Samba4 domain and server, and in 
> turn take out the rest of the network.
> 
> It seems strange that all normal attributes are perfectly readable by 
> any user, while the manually added POSIX attributes are not. 

Indeed, it is very strange, but sadly we didn't notice this in the
testing prior to Samba 4.0.  We recently (for the protection of users in
existing domains who may have restrictive READ ACLs set prior to
migration) enabled enforcement of ACLs for all operations, not just
writes.

To disable this, and go back to the ACL behaviour we had on rc5, set:

acl:read=false

in your smb.conf.

This will mean that all users can read all attributes, unless they are
passwords or marked confidential in the schema.

We are sorry for this regression, and hope to sort it out soon (but I
think soon means after Christmas at this point, as many of us are taking
a bit of time to recover after the massive effort to get 4.0 out the
door). 

Sorry,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list