[Samba] Possible Security Hole (Bug?)

[Andrey Repin]

Greetings, Davor Vusir!

>> Hi, there are two separate points of view here, map 'Administrator' to the
>> 'root' user, or give 'Administrator' a uidNumber. If you do the first then
>> 'Administrator' can change directory settings on a Unix machine from windows
>> (profiles dir, file share dirs etc) without any problem. If you give
>> 'Administrator' a uidNumber, then (s)he becomes just another Unix user and
>> will need to be given the rights to change ownership and mode of
>> directories.
>>

> A design choice of Microsofts is to make the AD-group 'DOMAIN\Domain
> Admins' member of the servers Administrators group during domain join.
> If you, as a member of 'SERVER\Administrators' choose to remove the
> Domain Admins is, of course, perfectly valid. As is making a domain
> user account member of the servers administrators group. Or removing
> from selected group. So in a sense one could say that
> 'DOMAIN\Administrator' is just another Windows/Unix user.

> When Samba is set up as a file and/or printserver, you have to make
> Unix aware of which domain user account/group that will have got
> extraordinary rights. As you write.

> Maybe one should change views and look at the Unix/Samba complex as a
> virtual host where one of its guests is a file server that owns its
> playground, the file system it shares. The guest, Samba, utilizes Unix
> for its purpose. In that case Samba is contained and
> 'DOMAIN\Administrator' should have a uid-/gidNumber. All domain
> accounts and groups should have their uid-/gidNumber set.

# visudo -f /etc/sudoers.d/domain
# Members of the "domain admins" group may do about anything.
# And rightfully so.
%domain\x20admins ALL=(ALL:ALL) ALL

Apply liberally, where it is warranted.

But to the thoughts train, every user is just one user.
Mapping user to other user is creating a mess you don't want to solve
yourself.


-- 
With best regards,
Andrey Repin
Sunday, April 19, 2015 01:11:07

Sorry for my terrible english...