Molot
2005-Jul-01 08:26 UTC
[SAMBA] How to stop winbindd from granitng UID=0? Security hole?
I have domain controller on Windows 2003. On the client side standard installation of samba 3.0.1? ldap, kerberos and winbindd. Setup should allow all users from domain login to all client's services (console, ssh and so on) using domain name and password. Ok, we have acquired this point. It aslo should be possible to login simply by writing "Login: MyDomainUsername", but with keeping possibility to log on with only local username. If the same name is in domain and in local, it should be checked first in domain, next in local (for the user to be able to login even if net is down). We acquired that too. But now there is a real problem. There is a domain user root. If the domain is present, we can login to the client with putting simple "root" as a username, and using domain password. And we are actually getting uid 0, so we are real root, not just dorm user with funny-looking username. Of course this behaviour is great for normal (unprivileaged) user account, but not for root account. So, domain operators can have root domain acocunt and this way get root acces to all linux boxes with this setup. Does anyone know how can I stop it? I'll post configs if requested, but maybe it is just a simple problem... -- ---------------> Advocatus Diaboli - someone should do this job. some kind of Molot some kind of monster ;) jid:molot@mruk.net alt mailto:molot@mruk.net gg:4588787 ---------------> --
Adam Tauno Williams
2005-Jul-06 19:58 UTC
[SAMBA] How to stop winbindd from granitng UID=0? Security hole?
> But now there is a real problem. There is a domain user root. If the > domain is present, we can login to the client with putting simple > "root" as a username, and using domain password. And we are actually > getting uid 0, so we are real root, not just dorm user with > funny-looking username. > Of course this behaviour is great for normal (unprivileaged) user > account, but not for root account. > So, domain operators can have root domain acocunt and this way get > root acces to all linux boxes with this setup. > > Does anyone know how can I stop it? > I'll post configs if requested, but maybe it is just a simple problem...man slapd-access