[Samba] Possible Security Hole (Bug?)

Davor Vusir davortvusir at gmail.com
Sat Apr 18 23:53:34 MDT 2015


Hi Andrey,

2015-04-19 0:12 GMT+02:00 Andrey Repin <anrdaemon at yandex.ru>:
> Greetings, Davor Vusir!
>
>>> Hi, there are two separate points of view here, map 'Administrator' to the
>>> 'root' user, or give 'Administrator' a uidNumber. If you do the first then
>>> 'Administrator' can change directory settings on a Unix machine from windows
>>> (profiles dir, file share dirs etc) without any problem. If you give
>>> 'Administrator' a uidNumber, then (s)he becomes just another Unix user and
>>> will need to be given the rights to change ownership and mode of
>>> directories.
>>>
>
>> A design choice of Microsofts is to make the AD-group 'DOMAIN\Domain
>> Admins' member of the servers Administrators group during domain join.
>> If you, as a member of 'SERVER\Administrators' choose to remove the
>> Domain Admins is, of course, perfectly valid. As is making a domain
>> user account member of the servers administrators group. Or removing
>> from selected group. So in a sense one could say that
>> 'DOMAIN\Administrator' is just another Windows/Unix user.
>
>> When Samba is set up as a file and/or printserver, you have to make
>> Unix aware of which domain user account/group that will have got
>> extraordinary rights. As you write.
>
>> Maybe one should change views and look at the Unix/Samba complex as a
>> virtual host where one of its guests is a file server that owns its
>> playground, the file system it shares. The guest, Samba, utilizes Unix
>> for its purpose. In that case Samba is contained and
>> 'DOMAIN\Administrator' should have a uid-/gidNumber. All domain
>> accounts and groups should have their uid-/gidNumber set.
>
> # visudo -f /etc/sudoers.d/domain
> # Members of the "domain admins" group may do about anything.
> # And rightfully so.
> %domain\x20admins ALL=(ALL:ALL) ALL
>
> Apply liberally, where it is warranted.
>

If there is a need to grant selected domain users elevated rights on
the Linux host. In this case root privilieges. This is one way of
doing it. Rowland mentioned another.

> But to the thoughts train, every user is just one user.
> Mapping user to other user is creating a mess you don't want to solve
> yourself.
>

Maybe so. I was merely trying to express a different view. Where Samba
is somewhat selfcontained and uses the Linuxhost as a vessel for its
purpose; file sharing for Windows. With that in mind, Rowland is right
when he sais that the domain adminstrator account becomes an ordinary
Unix user on the Linux host. For Samba its good enough.

Regards
Davor

>
> --
> With best regards,
> Andrey Repin
> Sunday, April 19, 2015 01:11:07
>
> Sorry for my terrible english...
>


More information about the samba mailing list