[Samba] Possible Security Hole (Bug?)

L.P.H. van Belle belle at bazuin.nl
Thu Apr 16 02:42:25 MDT 2015


because of this : 
Correct UID for DOM\Administrator: 10000

Your adminstrator can login.. 
sshd_config does the following if root is disabled.. ( or no passwd for root..) 

1) no root login when root has no password.
2) no root login with uid 0
3) all other.. you can login. 

In these cases.. create an extra security group in ssh,
and add the users in it who are allowed to login. 

and for samba ( winbind ) Administrator = root. 
and for correct working, its really adviced to NOT give Administrator any UID.

and you did... ... 
and why not.. see your own question.  ;-) 

the best explanation i can give .. 

Greetz, 

Louis
 

>-----Oorspronkelijk bericht-----
>Van: david_willis at comcast.net 
>[mailto:samba-bounces at lists.samba.org] Namens David Willis
>Verzonden: donderdag 16 april 2015 9:33
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] Possible Security Hole (Bug?)
>
>Hello,
>
> 
>
>I noticed something that may or may not be a bug in Samba4 on 
>an AD DC - I
>may be completely missing something and if that's the case 
>please feel free
>to let me know - but.
>
> 
>
>If for some reason the Samba4 DC thinks that the UID for an 
>account (for
>example, DOM\Administrator) is 0, and you log into that 
>account, it logs you
>into the local root account (even if it is disabled, as it is 
>by default in
>Ubuntu).
>
> 
>
>The case in which I noticed this was when the NIC was temporarily
>disconnected, then reconnected, then the samba service restarted. When
>attempting to login to the domain admin account after this sequence of
>events, it asks for password, then grants access to the local 
>root account.
>When doing a "id administrator" it would show uid=0, although 
>the groups
>were correct (as were the GIDs).
>
> 
>
>I was not able to reproduce this when I repeated the same sequence of
>events, so I am not quite sure what the situation is here or 
>why it suddenly
>saw administrator's UID to be 0. Doing a "net cache flush", 
>then restarting
>BIND9 and Samba again resolved the issue (UIDs were correct 
>and able to log
>into the domain admin account as expected). As I am unsure 
>whether or not
>this is a bug, I wanted to send a message here first rather 
>than to the bug
>report to see if I could get some more information. However it 
>does seem
>like a possible security hole (I wasn't able to reproduce 
>this, but if this
>same scenario happened with a non-domain-admin account, it 
>would essentially
>allow a non-privileged domain user to gain root access on the 
>Samba4 AD DC).
>
> 
>
>I should note that in this case, the "administrator" account had no
>additional privileges on the Samba4 DC - that is, it had not 
>been added to
>the local "sudo" group (or any other local groups, for that 
>matter). I will
>also note that I seem to recall a similar event happening back 
>when I first
>configured the DC on an older version of Samba4 (possibly 
>before the correct
>configuration was achieved, which may be why the UID was 
>inaccurately seen
>as "0" back at that time).
>
> 
>
>Some basic environment info:
>
> 
>
>Current Samba4 version - 4.2.0, compiled from source (tarball 
>downloaded via
>download.samba.org) w/ gcc compiler (v4.6.3) - using 
>new/updated "winbindd"
>functionality as instructed in v4.2.0 release notes
>
>Configured as an AD DC in a domain w/ 2 other DCs, both of the 
>other DCs
>running Windows Server 2008R2
>
>OS: Ubuntu Server 12.04.5 LTS
>
>RFC2307 attributes enabled and in use
>
>Correct UID for DOM\Administrator: 10000 (assigned via RFC2307 attrs)
>
>Local root account disabled
>
>No "username mapping" is in use
>
> 
>
>Normally, everything is working as expected. This was just one 
>situation
>that I came across by accident after disconnecting and 
>reconnecting the NIC.
>I will also note that I did attempt a login to the 
>DOM\Administrator account
>on the Samba4 DC while the NIC was disconnected (and as 
>expected, received a
>"no logon servers" message). Not sure if that is important or not.
>
> 
>
>If there is any more information needed please let me know. I 
>often read the
>Samba message boards (along with many others, and much 
>googling) when I run
>into an issue to find a resolution, but in this case I thought I should
>bring it to someone's attention as it seems that this (could) be a
>significant security issue. If I am missing something here and 
>this is not
>the issue that it seems to be then please feel free to let me know.
>
> 
>
>Thank you for your time, and for all the work that everyone on 
>the team has
>put into this great project over the years!!!
>
> 
>
>Regards,
>
> 
>
>David
>
> 
>
>E-Mail: david_willis at comcast.net
>
> 
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>



More information about the samba mailing list