[Samba] Possible Security Hole (Bug?)
anrdaemon at yandex.ru
Sat Apr 18 16:12:56 MDT 2015
Greetings, Davor Vusir!
>> Hi, there are two separate points of view here, map 'Administrator' to the
>> 'root' user, or give 'Administrator' a uidNumber. If you do the first then
>> 'Administrator' can change directory settings on a Unix machine from windows
>> (profiles dir, file share dirs etc) without any problem. If you give
>> 'Administrator' a uidNumber, then (s)he becomes just another Unix user and
>> will need to be given the rights to change ownership and mode of
> A design choice of Microsofts is to make the AD-group 'DOMAIN\Domain
> Admins' member of the servers Administrators group during domain join.
> If you, as a member of 'SERVER\Administrators' choose to remove the
> Domain Admins is, of course, perfectly valid. As is making a domain
> user account member of the servers administrators group. Or removing
> from selected group. So in a sense one could say that
> 'DOMAIN\Administrator' is just another Windows/Unix user.
> When Samba is set up as a file and/or printserver, you have to make
> Unix aware of which domain user account/group that will have got
> extraordinary rights. As you write.
> Maybe one should change views and look at the Unix/Samba complex as a
> virtual host where one of its guests is a file server that owns its
> playground, the file system it shares. The guest, Samba, utilizes Unix
> for its purpose. In that case Samba is contained and
> 'DOMAIN\Administrator' should have a uid-/gidNumber. All domain
> accounts and groups should have their uid-/gidNumber set.
# visudo -f /etc/sudoers.d/domain
# Members of the "domain admins" group may do about anything.
# And rightfully so.
%domain\x20admins ALL=(ALL:ALL) ALL
Apply liberally, where it is warranted.
But to the thoughts train, every user is just one user.
Mapping user to other user is creating a mess you don't want to solve
With best regards,
Sunday, April 19, 2015 01:11:07
Sorry for my terrible english...
More information about the samba