[Samba] allow trusted domains
Victor Sudakov
vas at mpeks.tomsk.su
Mon Feb 27 00:07:46 MST 2012
As written in http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html
"Where winbindd is not used Samba (smbd) uses the underlying
UNIX/Linux mechanisms to resolve the identity of incoming network
traffic. This is done using the LoginID (account name) in the session
setup request and passing it to the getpwnam() system function call.
This call is implemented using the name service switch (NSS) mechanism
on modern UNIX/Linux systems. By saying "users and groups are local,"
we are implying that they are stored only on the local system, in the
/etc/passwd and /etc/group respectively.
For example, when the user BERYLIUM\WambatW tries to open a connection
to a Samba server the incoming SessionSetupAndX request will make a
system call to look up the user WambatW in the /etc/passwd file. "
My question: if BERYLIUM trusts ANOTHERDOMAIN, and
ANOTHERDOMAIN\WambatW tries to open a connection to my Samba server,
what user will be looked up in /etc/passwd?
Victor Sudakov wrote:
> There is a samba compiled without winbind support, with the following
> options configured:
>
> workgroup = MYDOMAIN
> security = domain
> allow trusted domains = yes
> add user script = /usr/sbin/pw useradd %u -m -Y -M 755
>
> When a Windows user MYDOMAIN\john connects to the samba server, he is
> mapped to the Unix user john. If there is no Unix user "john", it is
> created by the add user script.
>
> How will the users OTHERDOMAIN\otheruser and especially
> OTHERDOMAIN\join be mapped/created?
>
> If OTHERDOMAIN\join is mapped to the same Unix user as MYDOMAIN\join,
> it's a big security hole.
>
> --
> Victor Sudakov, VAS4-RIPE, VAS47-RIPN
> sip:sudakov at sibptus.tomsk.ru
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru
More information about the samba
mailing list