[Samba] Possible Security Hole (Bug?)

[David Willis]

Hello,

 

I noticed something that may or may not be a bug in Samba4 on an AD DC - I
may be completely missing something and if that's the case please feel free
to let me know - but.

 

If for some reason the Samba4 DC thinks that the UID for an account (for
example, DOM\Administrator) is 0, and you log into that account, it logs you
into the local root account (even if it is disabled, as it is by default in
Ubuntu).

 

The case in which I noticed this was when the NIC was temporarily
disconnected, then reconnected, then the samba service restarted. When
attempting to login to the domain admin account after this sequence of
events, it asks for password, then grants access to the local root account.
When doing a "id administrator" it would show uid=0, although the groups
were correct (as were the GIDs).

 

I was not able to reproduce this when I repeated the same sequence of
events, so I am not quite sure what the situation is here or why it suddenly
saw administrator's UID to be 0. Doing a "net cache flush", then restarting
BIND9 and Samba again resolved the issue (UIDs were correct and able to log
into the domain admin account as expected). As I am unsure whether or not
this is a bug, I wanted to send a message here first rather than to the bug
report to see if I could get some more information. However it does seem
like a possible security hole (I wasn't able to reproduce this, but if this
same scenario happened with a non-domain-admin account, it would essentially
allow a non-privileged domain user to gain root access on the Samba4 AD DC).

 

I should note that in this case, the "administrator" account had no
additional privileges on the Samba4 DC - that is, it had not been added to
the local "sudo" group (or any other local groups, for that matter). I will
also note that I seem to recall a similar event happening back when I first
configured the DC on an older version of Samba4 (possibly before the correct
configuration was achieved, which may be why the UID was inaccurately seen
as "0" back at that time).

 

Some basic environment info:

 

Current Samba4 version - 4.2.0, compiled from source (tarball downloaded via
download.samba.org) w/ gcc compiler (v4.6.3) - using new/updated "winbindd"
functionality as instructed in v4.2.0 release notes

Configured as an AD DC in a domain w/ 2 other DCs, both of the other DCs
running Windows Server 2008R2

OS: Ubuntu Server 12.04.5 LTS

RFC2307 attributes enabled and in use

Correct UID for DOM\Administrator: 10000 (assigned via RFC2307 attrs)

Local root account disabled

No "username mapping" is in use

 

Normally, everything is working as expected. This was just one situation
that I came across by accident after disconnecting and reconnecting the NIC.
I will also note that I did attempt a login to the DOM\Administrator account
on the Samba4 DC while the NIC was disconnected (and as expected, received a
"no logon servers" message). Not sure if that is important or not.

 

If there is any more information needed please let me know. I often read the
Samba message boards (along with many others, and much googling) when I run
into an issue to find a resolution, but in this case I thought I should
bring it to someone's attention as it seems that this (could) be a
significant security issue. If I am missing something here and this is not
the issue that it seems to be then please feel free to let me know.

 

Thank you for your time, and for all the work that everyone on the team has
put into this great project over the years!!!

 

Regards,

 

David

 

E-Mail: david_willis at comcast.net