[Samba] Possible Security Hole (Bug?)

L.P.H. van Belle belle at bazuin.nl
Fri Apr 17 02:34:07 MDT 2015


In case of "B"  
Do we know all folders which needs to be changed with rights? 
Or is this only for all shares and folder/file rights. 

Just asking so i can add it to my script. 
And to take in mind, in both cases, i already added 
the group "Domain Admins" to all privileges.



>-----Oorspronkelijk bericht-----
>Van: rowlandpenny at googlemail.com 
>[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>Verzonden: vrijdag 17 april 2015 10:02
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] Possible Security Hole (Bug?)
>On 16/04/15 19:26, David Willis wrote:
>> Thank you for the reply.
>> Forgive me if I am not understanding correctly, but..
>> I have heard conflicting reports about whether or not to 
>assign UID to DOM\administrator, even from threads read on 
>these lists :)
>> However, are DOM\administrator and local "root" not two 
>separate accounts...? One domain admin, one "local" 
>root/admin. So why then would winbind/samba see them as the 
>"same" account...
>> Especially  because even if UID is not assigned to 
>DOM\administrator, it will still be assigned an arbitrary UID 
>from the 3000000-4000000 range via idmap.ldb, no? So either 
>way it's going to have a UID assigned... But thru idmap.ldb 
>this may not be consistent between samba DCs as per the Samba 
>wiki... Which brings me back to why I assigned a UID via RFC2307 :)
>> But I digress... I still don't see
>> A. Why samba/winbind would see DOM\administrator and local 
>"root" as the same account, and
>> B. How DOM\administrator having a UID assigned via RFC2307 
>makes any difference, as it will have SOME UID assigned anyway 
>(by idmap.ldb if not by me), and in either case it will not be 0
>> Last note... This was with a CONSOLE login that I was able 
>to gain root access... NOT via ssh... So I don't think 
>sshd_config should play a role either here.
>> Regards,
>> David
>Hi, there are two separate points of view here, map 'Administrator' to 
>the 'root' user, or give 'Administrator' a uidNumber. If you do the 
>first then 'Administrator' can change directory settings on a Unix 
>machine from windows (profiles dir, file share dirs etc) without any 
>problem. If you give 'Administrator' a uidNumber, then (s)he becomes 
>just another Unix user and will need to be given the rights to change 
>ownership and mode of directories.
>Oh, and in answer to 'B', if you don't do anything, 'Administrator' is 
>automatically mapped to root on a Samba4 AD DC.
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list