[Samba] Possible Security Hole (Bug?)

Davor Vusir davortvusir at gmail.com
Sat Apr 18 14:14:36 MDT 2015


2015-04-17 10:01 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:
> On 16/04/15 19:26, David Willis wrote:
>>
>> Thank you for the reply.
>>
>> Forgive me if I am not understanding correctly, but..
>>
>> I have heard conflicting reports about whether or not to assign UID to
>> DOM\administrator, even from threads read on these lists :)
>>
>> However, are DOM\administrator and local "root" not two separate
>> accounts...? One domain admin, one "local" root/admin. So why then would
>> winbind/samba see them as the "same" account...
>>
>> Especially  because even if UID is not assigned to DOM\administrator, it
>> will still be assigned an arbitrary UID from the 3000000-4000000 range via
>> idmap.ldb, no? So either way it's going to have a UID assigned... But thru
>> idmap.ldb this may not be consistent between samba DCs as per the Samba
>> wiki... Which brings me back to why I assigned a UID via RFC2307 :)
>>
>> But I digress... I still don't see
>> A. Why samba/winbind would see DOM\administrator and local "root" as the
>> same account, and
>> B. How DOM\administrator having a UID assigned via RFC2307 makes any
>> difference, as it will have SOME UID assigned anyway (by idmap.ldb if not by
>> me), and in either case it will not be 0
>>
>> Last note... This was with a CONSOLE login that I was able to gain root
>> access... NOT via ssh... So I don't think sshd_config should play a role
>> either here.
>>
>> Regards,
>>
>> David
>
>
> Hi, there are two separate points of view here, map 'Administrator' to the
> 'root' user, or give 'Administrator' a uidNumber. If you do the first then
> 'Administrator' can change directory settings on a Unix machine from windows
> (profiles dir, file share dirs etc) without any problem. If you give
> 'Administrator' a uidNumber, then (s)he becomes just another Unix user and
> will need to be given the rights to change ownership and mode of
> directories.
>

A design choice of Microsofts is to make the AD-group 'DOMAIN\Domain
Admins' member of the servers Administrators group during domain join.
If you, as a member of 'SERVER\Administrators' choose to remove the
Domain Admins is, of course, perfectly valid. As is making a domain
user account member of the servers administrators group. Or removing
from selected group. So in a sense one could say that
'DOMAIN\Administrator' is just another Windows/Unix user.

When Samba is set up as a file and/or printserver, you have to make
Unix aware of which domain user account/group that will have got
extraordinary rights. As you write.

Maybe one should change views and look at the Unix/Samba complex as a
virtual host where one of its guests is a file server that owns its
playground, the file system it shares. The guest, Samba, utilizes Unix
for its purpose. In that case Samba is contained and
'DOMAIN\Administrator' should have a uid-/gidNumber. All domain
accounts and groups should have their uid-/gidNumber set.

Regards
Davor

> Oh, and in answer to 'B', if you don't do anything, 'Administrator' is
> automatically mapped to root on a Samba4 AD DC.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


More information about the samba mailing list