[Samba] Possible Security Hole (Bug?)

Davor Vusir davortvusir at gmail.com
Sun Apr 19 04:39:40 MDT 2015

2015-04-19 9:46 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:
> On 19/04/15 06:53, Davor Vusir wrote:
>> Hi Andrey,
>> 2015-04-19 0:12 GMT+02:00 Andrey Repin <anrdaemon at yandex.ru>:
>>> Greetings, Davor Vusir!
>>>>> Hi, there are two separate points of view here, map 'Administrator' to
>>>>> the
>>>>> 'root' user, or give 'Administrator' a uidNumber. If you do the first
>>>>> then
>>>>> 'Administrator' can change directory settings on a Unix machine from
>>>>> windows
>>>>> (profiles dir, file share dirs etc) without any problem. If you give
>>>>> 'Administrator' a uidNumber, then (s)he becomes just another Unix user
>>>>> and
>>>>> will need to be given the rights to change ownership and mode of
>>>>> directories.
>>>> A design choice of Microsofts is to make the AD-group 'DOMAIN\Domain
>>>> Admins' member of the servers Administrators group during domain join.
>>>> If you, as a member of 'SERVER\Administrators' choose to remove the
>>>> Domain Admins is, of course, perfectly valid. As is making a domain
>>>> user account member of the servers administrators group. Or removing
>>>> from selected group. So in a sense one could say that
>>>> 'DOMAIN\Administrator' is just another Windows/Unix user.
>>>> When Samba is set up as a file and/or printserver, you have to make
>>>> Unix aware of which domain user account/group that will have got
>>>> extraordinary rights. As you write.
>>>> Maybe one should change views and look at the Unix/Samba complex as a
>>>> virtual host where one of its guests is a file server that owns its
>>>> playground, the file system it shares. The guest, Samba, utilizes Unix
>>>> for its purpose. In that case Samba is contained and
>>>> 'DOMAIN\Administrator' should have a uid-/gidNumber. All domain
>>>> accounts and groups should have their uid-/gidNumber set.
>>> # visudo -f /etc/sudoers.d/domain
>>> # Members of the "domain admins" group may do about anything.
>>> # And rightfully so.
>>> %domain\x20admins ALL=(ALL:ALL) ALL
>>> Apply liberally, where it is warranted.
>> If there is a need to grant selected domain users elevated rights on
>> the Linux host. In this case root privilieges. This is one way of
>> doing it. Rowland mentioned another.
>>> But to the thoughts train, every user is just one user.
>>> Mapping user to other user is creating a mess you don't want to solve
>>> yourself.
>> Maybe so. I was merely trying to express a different view. Where Samba
>> is somewhat selfcontained and uses the Linuxhost as a vessel for its
>> purpose; file sharing for Windows. With that in mind, Rowland is right
>> when he sais that the domain adminstrator account becomes an ordinary
>> Unix user on the Linux host. For Samba its good enough.
>> Regards
>> Davor
> I was just pointing out that there is two ways of going about this, I did
> not give any preference for either. I can see good points in both ways,
> there are also bad points in both, so at the moment I am pretty much sitting
> on the fence.

Shortly after sending the mail I realized that I was speaking on your
behalf. That was not my intention. My apologies.


> The sysadmin must make a choice, but which ever is chosen, must be used
> alone, you shouldn't mix them.
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list