[Samba] Possible Security Hole (Bug?)

Rowland Penny rowlandpenny at googlemail.com
Fri Apr 17 02:01:55 MDT 2015

On 16/04/15 19:26, David Willis wrote:
> Thank you for the reply.
> Forgive me if I am not understanding correctly, but..
> I have heard conflicting reports about whether or not to assign UID to DOM\administrator, even from threads read on these lists :)
> However, are DOM\administrator and local "root" not two separate accounts...? One domain admin, one "local" root/admin. So why then would winbind/samba see them as the "same" account...
> Especially  because even if UID is not assigned to DOM\administrator, it will still be assigned an arbitrary UID from the 3000000-4000000 range via idmap.ldb, no? So either way it's going to have a UID assigned... But thru idmap.ldb this may not be consistent between samba DCs as per the Samba wiki... Which brings me back to why I assigned a UID via RFC2307 :)
> But I digress... I still don't see
> A. Why samba/winbind would see DOM\administrator and local "root" as the same account, and
> B. How DOM\administrator having a UID assigned via RFC2307 makes any difference, as it will have SOME UID assigned anyway (by idmap.ldb if not by me), and in either case it will not be 0
> Last note... This was with a CONSOLE login that I was able to gain root access... NOT via ssh... So I don't think sshd_config should play a role either here.
> Regards,
> David

Hi, there are two separate points of view here, map 'Administrator' to 
the 'root' user, or give 'Administrator' a uidNumber. If you do the 
first then 'Administrator' can change directory settings on a Unix 
machine from windows (profiles dir, file share dirs etc) without any 
problem. If you give 'Administrator' a uidNumber, then (s)he becomes 
just another Unix user and will need to be given the rights to change 
ownership and mode of directories.

Oh, and in answer to 'B', if you don't do anything, 'Administrator' is 
automatically mapped to root on a Samba4 AD DC.


More information about the samba mailing list