[Samba] Samba 4.1.6 huge security flaw

bogdan_bartos admin at blackpenguin.org
Mon Apr 14 16:01:43 MDT 2014


I can confirm that the bug is re-occuring after the Windows machine restart.
The bug might occur due to the setup I have, so please read what follows.

Let's call the user with issues user_issue. The same user_issue is member of
2 different domain controllers and has the same password in 2 different
networks.
When "user_issue" logs onto the domain A is on the LAN that is not connected
to the domain with issues (local LAN domain). Then I launch the VPN client
and access the shares on the domain B (this is the domain issue) that as I
mentioned is a whole different domain controller hat does not relate to A.
Only the username and the passwords are the same in both controllers.
Because of that, the shares on controller B never ask for the password, so
the user_issue is not authenticated as logged in under controller B, but
rather granted access based on user/password combination.
I am not sure if this has any impact on the solution to the problem, but
this is the setup I have. I will try more testing and see, but for now this
is an issue that exists for sure.

The only change that I did to the domain controller B is to run duplicity as
root, but this should not modify the folder access since it reads the
structure and again, this happens in the setup described above.



--
View this message in context: http://samba.2283325.n4.nabble.com/Samba-4-1-6-huge-security-flaw-tp4664312p4664314.html
Sent from the Samba - General mailing list archive at Nabble.com.


More information about the samba mailing list