[Samba] Possible Security Hole (Bug?)

Rowland Penny rowlandpenny at googlemail.com
Sun Apr 19 01:46:21 MDT 2015


On 19/04/15 06:53, Davor Vusir wrote:
> Hi Andrey,
>
> 2015-04-19 0:12 GMT+02:00 Andrey Repin <anrdaemon at yandex.ru>:
>> Greetings, Davor Vusir!
>>
>>>> Hi, there are two separate points of view here, map 'Administrator' to the
>>>> 'root' user, or give 'Administrator' a uidNumber. If you do the first then
>>>> 'Administrator' can change directory settings on a Unix machine from windows
>>>> (profiles dir, file share dirs etc) without any problem. If you give
>>>> 'Administrator' a uidNumber, then (s)he becomes just another Unix user and
>>>> will need to be given the rights to change ownership and mode of
>>>> directories.
>>>>
>>> A design choice of Microsofts is to make the AD-group 'DOMAIN\Domain
>>> Admins' member of the servers Administrators group during domain join.
>>> If you, as a member of 'SERVER\Administrators' choose to remove the
>>> Domain Admins is, of course, perfectly valid. As is making a domain
>>> user account member of the servers administrators group. Or removing
>>> from selected group. So in a sense one could say that
>>> 'DOMAIN\Administrator' is just another Windows/Unix user.
>>> When Samba is set up as a file and/or printserver, you have to make
>>> Unix aware of which domain user account/group that will have got
>>> extraordinary rights. As you write.
>>> Maybe one should change views and look at the Unix/Samba complex as a
>>> virtual host where one of its guests is a file server that owns its
>>> playground, the file system it shares. The guest, Samba, utilizes Unix
>>> for its purpose. In that case Samba is contained and
>>> 'DOMAIN\Administrator' should have a uid-/gidNumber. All domain
>>> accounts and groups should have their uid-/gidNumber set.
>> # visudo -f /etc/sudoers.d/domain
>> # Members of the "domain admins" group may do about anything.
>> # And rightfully so.
>> %domain\x20admins ALL=(ALL:ALL) ALL
>>
>> Apply liberally, where it is warranted.
>>
> If there is a need to grant selected domain users elevated rights on
> the Linux host. In this case root privilieges. This is one way of
> doing it. Rowland mentioned another.
>
>> But to the thoughts train, every user is just one user.
>> Mapping user to other user is creating a mess you don't want to solve
>> yourself.
>>
> Maybe so. I was merely trying to express a different view. Where Samba
> is somewhat selfcontained and uses the Linuxhost as a vessel for its
> purpose; file sharing for Windows. With that in mind, Rowland is right
> when he sais that the domain adminstrator account becomes an ordinary
> Unix user on the Linux host. For Samba its good enough.
>
> Regards
> Davor
>

I was just pointing out that there is two ways of going about this, I 
did not give any preference for either. I can see good points in both 
ways, there are also bad points in both, so at the moment I am pretty 
much sitting on the fence.

The sysadmin must make a choice, but which ever is chosen, must be used 
alone, you shouldn't mix them.

Rowland




More information about the samba mailing list