[Samba] Possible Security Hole (Bug?)
david_willis at comcast.net
Mon May 4 16:13:48 MDT 2015
Thank you Rowland and everyone else for your responses.
I now understand the two options here - it appears that I have been
implementing the first one since I had previously assigned UID to
DOM\administrator via RFC2307.
I have narrowed down the issue a little bit to exactly what it is that I
still do not understand.
Since I have assigned the UID to the domain admin account, this account is
seen as a normal account on a Linux box, until it is added to certain local
groups to grant it rights (i.e. "sudo" group). This is the method I have
been using and it has been working fine - wbinfo and id both output the
correct groups for the "administrator" account along with the correct
relevant UID and GIDs.
The problem appears to occur when I run a "robocopy" operation from one of
my Windows DCs (running Server 2008R2) to replicate the SYSVOL share to the
Linux DC. I wanted to set this up as a recurring batch job from the Windows
side so that the ACLs and ownership would be properly replicated along with
the SYSVOL contents. However, after running the robocopy operation (which
does correctly copy the SYSVOL contents along w/ ACLs and ownership), if I
go back to the Linux box and run a "id administrator", I get this for
uid=0(root) gid=10000(domain users)
lpadmin),116(sambashare),1100(pwrusr),10000(domain users),10005(group policy
creator owners),10003(enterprise admins),10001(domain admins),10004(schema
admins),10010(sshusers),10008(vmadmins),3000006(denied rodc password
Notice that the UID for the account is now listed as "0" (whereas it should
be "10000", which is the UID I assigned via RFC2307 - and this is what is
normally reported via this command when no "robocopy" operation has been
run). It can be fixed with a "net cache flush", but it makes me wonder why
running this operation to copy the files over would affect the way the Linux
box sees the UID of the "administrator" account?
Thank you much for all the responses and help!
Also two side questions, if anyone happens to have an answer:
1. Should I also be assigning RFC2307 attributes to "BUILTIN" groups
(such as "BUILTIN\Users" and "BUILTIN\Administrators"), or let these groups'
GIDs be automatically allocated via idmap.ldb?
2. To get the "robocopy" operation to run properly I need to add the
account that the batch job runs under, to the "Domain Admins" group. It does
not run properly when the account is simply added to the "Backup Operators"
BUILTIN group, although it should (it appears that Samba is not honoring the
"backup operator" right that is supposed to be granted to accounts in this
BUILTIN group - i.e. they should be allowed to run copy operations in
"backup" mode to any DC in the domain). Is there some better way that I
should be doing this, or is this something that is not implemented yet?
E-Mail: <mailto:david_willis at comcast.net> david_willis at comcast.net
More information about the samba