[Samba] Possible Security Hole (Bug?)
L.P.H. van Belle
belle at bazuin.nl
Fri Apr 17 02:34:07 MDT 2015
Rowland,
In case of "B"
Do we know all folders which needs to be changed with rights?
Or is this only for all shares and folder/file rights.
Just asking so i can add it to my script.
And to take in mind, in both cases, i already added
the group "Domain Admins" to all privileges.
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: rowlandpenny at googlemail.com
>[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>Verzonden: vrijdag 17 april 2015 10:02
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] Possible Security Hole (Bug?)
>
>On 16/04/15 19:26, David Willis wrote:
>> Thank you for the reply.
>>
>> Forgive me if I am not understanding correctly, but..
>>
>> I have heard conflicting reports about whether or not to
>assign UID to DOM\administrator, even from threads read on
>these lists :)
>>
>> However, are DOM\administrator and local "root" not two
>separate accounts...? One domain admin, one "local"
>root/admin. So why then would winbind/samba see them as the
>"same" account...
>>
>> Especially because even if UID is not assigned to
>DOM\administrator, it will still be assigned an arbitrary UID
>from the 3000000-4000000 range via idmap.ldb, no? So either
>way it's going to have a UID assigned... But thru idmap.ldb
>this may not be consistent between samba DCs as per the Samba
>wiki... Which brings me back to why I assigned a UID via RFC2307 :)
>>
>> But I digress... I still don't see
>> A. Why samba/winbind would see DOM\administrator and local
>"root" as the same account, and
>> B. How DOM\administrator having a UID assigned via RFC2307
>makes any difference, as it will have SOME UID assigned anyway
>(by idmap.ldb if not by me), and in either case it will not be 0
>>
>> Last note... This was with a CONSOLE login that I was able
>to gain root access... NOT via ssh... So I don't think
>sshd_config should play a role either here.
>>
>> Regards,
>>
>> David
>
>Hi, there are two separate points of view here, map 'Administrator' to
>the 'root' user, or give 'Administrator' a uidNumber. If you do the
>first then 'Administrator' can change directory settings on a Unix
>machine from windows (profiles dir, file share dirs etc) without any
>problem. If you give 'Administrator' a uidNumber, then (s)he becomes
>just another Unix user and will need to be given the rights to change
>ownership and mode of directories.
>
>Oh, and in answer to 'B', if you don't do anything, 'Administrator' is
>automatically mapped to root on a Samba4 AD DC.
>
>Rowland
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list