[Samba] Possible Security Hole (Bug?)
rowlandpenny at googlemail.com
Fri Apr 17 02:01:55 MDT 2015
On 16/04/15 19:26, David Willis wrote:
> Thank you for the reply.
> Forgive me if I am not understanding correctly, but..
> I have heard conflicting reports about whether or not to assign UID to DOM\administrator, even from threads read on these lists :)
> However, are DOM\administrator and local "root" not two separate accounts...? One domain admin, one "local" root/admin. So why then would winbind/samba see them as the "same" account...
> Especially because even if UID is not assigned to DOM\administrator, it will still be assigned an arbitrary UID from the 3000000-4000000 range via idmap.ldb, no? So either way it's going to have a UID assigned... But thru idmap.ldb this may not be consistent between samba DCs as per the Samba wiki... Which brings me back to why I assigned a UID via RFC2307 :)
> But I digress... I still don't see
> A. Why samba/winbind would see DOM\administrator and local "root" as the same account, and
> B. How DOM\administrator having a UID assigned via RFC2307 makes any difference, as it will have SOME UID assigned anyway (by idmap.ldb if not by me), and in either case it will not be 0
> Last note... This was with a CONSOLE login that I was able to gain root access... NOT via ssh... So I don't think sshd_config should play a role either here.
Hi, there are two separate points of view here, map 'Administrator' to
the 'root' user, or give 'Administrator' a uidNumber. If you do the
first then 'Administrator' can change directory settings on a Unix
machine from windows (profiles dir, file share dirs etc) without any
problem. If you give 'Administrator' a uidNumber, then (s)he becomes
just another Unix user and will need to be given the rights to change
ownership and mode of directories.
Oh, and in answer to 'B', if you don't do anything, 'Administrator' is
automatically mapped to root on a Samba4 AD DC.
More information about the samba