[Samba] allow trusted domains

Victor Sudakov vas at mpeks.tomsk.su
Mon Feb 27 00:07:46 MST 2012

As written in http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html

	"Where winbindd is not used Samba (smbd) uses the underlying
	UNIX/Linux mechanisms to resolve the identity of incoming network
	traffic. This is done using the LoginID (account name) in the session
	setup request and passing it to the getpwnam() system function call.
	This call is implemented using the name service switch (NSS) mechanism
	on modern UNIX/Linux systems. By saying "users and groups are local,"
	we are implying that they are stored only on the local system, in the
	/etc/passwd and /etc/group respectively.

	For example, when the user BERYLIUM\WambatW tries to open a connection
	to a Samba server the incoming SessionSetupAndX request will make a
	system call to look up the user WambatW in the /etc/passwd file. "

My question: if BERYLIUM trusts ANOTHERDOMAIN, and
ANOTHERDOMAIN\WambatW tries to open a connection to my Samba server,
what user will be looked up in /etc/passwd?

Victor Sudakov wrote:
> There is a samba compiled without winbind support, with the following
> options configured:
> workgroup = MYDOMAIN
> security = domain
> allow trusted domains = yes
> add user script = /usr/sbin/pw useradd %u -m -Y -M 755
> When a Windows user MYDOMAIN\john connects to the samba server, he is
> mapped to the Unix user john. If there is no Unix user "john", it is
> created by the add user script.
> How will the users OTHERDOMAIN\otheruser and especially
> OTHERDOMAIN\join be mapped/created? 
> If OTHERDOMAIN\join is mapped to the same Unix user as MYDOMAIN\join,
> it's a big security hole.
> -- 
> Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
> sip:sudakov at sibptus.tomsk.ru
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru

More information about the samba mailing list