[Samba] Possible Security Hole (Bug?)

Rowland Penny rowlandpenny at googlemail.com
Fri Apr 17 03:12:13 MDT 2015

On 17/04/15 09:34, L.P.H. van Belle wrote:
> Rowland,
> In case of "B"
> Do we know all folders which needs to be changed with rights?
> Or is this only for all shares and folder/file rights.
> Just asking so i can add it to my script.
> And to take in mind, in both cases, i already added
> the group "Domain Admins" to all privileges.
> Greetz,
> Louis
>> -----Oorspronkelijk bericht-----
>> Van: rowlandpenny at googlemail.com
>> [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>> Verzonden: vrijdag 17 april 2015 10:02
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Possible Security Hole (Bug?)
>> On 16/04/15 19:26, David Willis wrote:
>>> Thank you for the reply.
>>> Forgive me if I am not understanding correctly, but..
>>> I have heard conflicting reports about whether or not to
>> assign UID to DOM\administrator, even from threads read on
>> these lists :)
>>> However, are DOM\administrator and local "root" not two
>> separate accounts...? One domain admin, one "local"
>> root/admin. So why then would winbind/samba see them as the
>> "same" account...
>>> Especially  because even if UID is not assigned to
>> DOM\administrator, it will still be assigned an arbitrary UID
> >from the 3000000-4000000 range via idmap.ldb, no? So either
>> way it's going to have a UID assigned... But thru idmap.ldb
>> this may not be consistent between samba DCs as per the Samba
>> wiki... Which brings me back to why I assigned a UID via RFC2307 :)
>>> But I digress... I still don't see
>>> A. Why samba/winbind would see DOM\administrator and local
>> "root" as the same account, and
>>> B. How DOM\administrator having a UID assigned via RFC2307
>> makes any difference, as it will have SOME UID assigned anyway
>> (by idmap.ldb if not by me), and in either case it will not be 0
>>> Last note... This was with a CONSOLE login that I was able
>> to gain root access... NOT via ssh... So I don't think
>> sshd_config should play a role either here.
>>> Regards,
>>> David
>> Hi, there are two separate points of view here, map 'Administrator' to
>> the 'root' user, or give 'Administrator' a uidNumber. If you do the
>> first then 'Administrator' can change directory settings on a Unix
>> machine from windows (profiles dir, file share dirs etc) without any
>> problem. If you give 'Administrator' a uidNumber, then (s)he becomes
>> just another Unix user and will need to be given the rights to change
>> ownership and mode of directories.
>> Oh, and in answer to 'B', if you don't do anything, 'Administrator' is
>> automatically mapped to root on a Samba4 AD DC.
>> Rowland
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

Hi Louis, as far as I understand it, Administrator can only change 
directories that (s)he can see from windows, unless 'Administrator' 
actually logs into a DC. So, as far as your script is concerned, I don't 
think any changes are required, unless you can think of a way of 
stopping the Administrator logging into the DC.


More information about the samba mailing list