William Marshall
2009-May-18 20:12 UTC
[Samba] Surprising/Unexpected result after deleting and re-adding a user on our Samba domain
I don't want to call this a security problem. Since it isn't a code exploit, but, many people might have this problem. The other day a user was removed from our SLES samba-3.0.28-0.6 domain due to inactivity, but he still needed his account, so I recreated it. I didn't try to restore the LDAP data, so he got a new SID, etc. I was amazed to find that once his userid was created, he was already (still) in the groups that he had been in before. It would be possible for you to delete a userid who is in Domain Admins, and then have someone else request that userid days or weeks later. That userid would probably be a member of the Domain Admins upon creation. After digging into what happened, as a Linux admin, this makes sense to me, but as a Windows admin, this "blows me away". I had assumed that SIDs were used in most places, but with a LDAP backend, group membership is stored by name, not by SID. In the smb.conf we are not using the smbldap-tools tools anymore and we have set: ldapsam:editposix = yes passdb backend = ldapsam:"ldap://127.0.0.1" A solution to this problem might be for Samba to remove a user from all the groups before the account it deleted. (I will probably code this into our account cleanup scripts) This also means renaming an ID would be more involved than I (given a windows background) had assumed. We don't do it, but I had assumed that an account rename from usermanager would work. thanks, Bill Marshall
simo
2009-May-18 20:18 UTC
[Samba] Surprising/Unexpected result after deleting and re-adding a user on our Samba domain
On Mon, 2009-05-18 at 15:12 -0500, William Marshall wrote:> I don't want to call this a security problem. Since it isn't a code > exploit, but, many people might have this problem. > > The other day a user was removed from our SLES samba-3.0.28-0.6 domain > due to inactivity, but he still needed his account, so I recreated it. I > didn't try to restore the LDAP data, so he got a new SID, etc. > > I was amazed to find that once his userid was created, he was already > (still) in the groups that he had been in before. > > It would be possible for you to delete a userid who is in Domain Admins, > and then have someone else request that userid days or weeks later. That > userid would probably be a member of the Domain Admins upon creation.There is a good reason many security guides recommend never to reuse userids or user/group uids :-)> After digging into what happened, as a Linux admin, this makes sense to > me, but as a Windows admin, this "blows me away". I had assumed that SIDs > were used in most places, but with a LDAP backend, group membership is > stored by name, not by SID.Unfortunately that's what rfc2307 provides, and even using rfc2307bis wouldn't help as with the same userID you would come up with the same DN.> In the smb.conf we are not using the smbldap-tools tools anymore and we > have set: > ldapsam:editposix = yes > passdb backend = ldapsam:"ldap://127.0.0.1" > > A solution to this problem might be for Samba to remove a user from all > the groups before the account it deleted. (I will probably code this into > our account cleanup scripts)See below.> This also means renaming an ID would be more involved than I (given a > windows background) had assumed. We don't do it, but I had assumed that an > account rename from usermanager would work.Yes, true, see: #6353 which is related, we need to enhance editposix to handle group removals. I will take this bug next w/e if nobody steps up before. Simo. -- Simo Sorce Samba Team GPL Compliance Officer <simo@samba.org> Principal Software Engineer at Red Hat, Inc. <simo@redhat.com>
Harry Jede
2009-May-18 21:29 UTC
[Samba] Surprising/Unexpected result after deleting and re-adding a user on our Samba domain
Am Montag, 18. Mai 2009 22:12 schrieb William Marshall:> I don't want to call this a security problem. Since it isn't a code > exploit, but, many people might have this problem. > > The other day a user was removed from our SLES samba-3.0.28-0.6 > domain due to inactivity, but he still needed his account, so I > recreated it. I didn't try to restore the LDAP data, so he got a new > SID, etc. > > I was amazed to find that once his userid was created, he was already > (still) in the groups that he had been in before. > > It would be possible for you to delete a userid who is in Domain > Admins, and then have someone else request that userid days or weeks > later. That userid would probably be a member of the Domain Admins > upon creation. > > After digging into what happened, as a Linux admin, this makes sense > to me, but as a Windows admin, this "blows me away". I had assumed > that SIDs were used in most places, but with a LDAP backend, group > membership is stored by name, not by SID.And in openlap there is an other group model. If you use this, instead of posix and sids, then there may be a (easy) solution. - use DN based group entries - use the nss_schema switch in libnss-ldap.conf - use the refint overlay in slapd.conf, see "man slapo-refint" If you now rename or delete an account, the account-DN is modified or deleted in all groups.> In the smb.conf we are not using the smbldap-tools tools anymore and > we have set: > ldapsam:editposix = yes > passdb backend = ldapsam:"ldap://127.0.0.1" > > A solution to this problem might be for Samba to remove a user from > all the groups before the account it deleted. (I will probably code > this into our account cleanup scripts) > > This also means renaming an ID would be more involved than I (given a > windows background) had assumed. We don't do it, but I had assumed > that an account rename from usermanager would work. > > thanks, > Bill Marshall-- Gruss Harry Jede
Seemingly Similar Threads
- Segmentation Fault when trying to set root samba password, IPA as a backend
- 3.0.23 ldapsam:trusted=yes problem
- [Announce] Samba 3.2.14 Maintenance Release Available
- [Announce] Samba 3.2.14 Maintenance Release Available
- [Announce] Samba 3.2.12 Maintenance Release Available for Download