[Samba] samba users at boot, the same local and samba user bug has gone

Andrew Bartlett abartlet at samba.org
Mon May 22 21:21:19 UTC 2023 

On Sun, 2023-05-14 at 21:32 +0200, Kees van Vloten via samba wrote:
> The uid + gid are the unique identifier of a user in Linux, the name is 
> only relevant for the translation of number (uid) to name.
> 
> I.e. a local-user == domain-user when uid + gid are identical.
> 
> My nsswitch.conf prefers local-users over domain-users:
> 
> passwd:         files systemd winbind
> group:          files systemd winbind
> shadow:         files
> gshadow:        files
> 
> But when I do "id <user>" on a user that exists locally and in the 
> domain I get the list of groups of both local + domain concatenated as 
> one long list.
> 
> Would it be viewed as two separate users that would not happen.
> 
> - Kees.

While correct in a sense, Samba does not always go via nss, it has
optimisations (rich data paths) direct to winbindd, and the check of
the nsswitch understanding of the user is mainly a nod to historical
behaviour, to try and ensure that we only provide service to users that
the administrator can see via nsswitch.  

For that reason, Samba is much more sensitive to names than you might
expect.  While we generally do idmap based lookups (more so since the
Nov 2021 security patches), this comment gives some context.  I wrote:

commit 0a546be05295a7e4a552f9f4f0c74aeb2e9a0d6e
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Fri Nov 12 16:10:31 2021 +1300


    CVE-2020-25717: s3:auth: Fallback to a SID/UID based mapping if the
named based lookup fails
    
    Before the CVE-2020-25717 fixes we had a fallback from
    getpwnam('DOMAIN\user') to getpwnam('user') which was very
dangerous and
    unpredictable.
    
    Now we do the fallback based on sid_to_uid() followed by
    getpwuid() on the returned uid.
    

My point is we do a name-based lookup first, and what 'fixed' this is
that we fallback to an ID based lookup second.  But to say that the
combination of Samba and Linux is insensitive to names is incorrect
(even as we reduce that sensitivity). 

I hope this provides some background here. 

Andrew Bartlett

-- 
Andrew Bartlett (he/him)        https://samba.org/~abartlet/
Samba Team Member (since 2001)  https://samba.org
Samba Developer, Catalyst IT    https://catalyst.net.nz/services/samba

More information about the samba mailing list