r.barclay at habmalnefrage.de
2022-May-27 21:12 UTC
[Samba] DOMAIN\Administrator mapped to root vs. CVE-2020-25717 fix including "min domain uid" = 1000
Hi,
I run a small Linux based network that uses Samba for login (AD) and SMB file
sharing.
There are only 2 Windows machines:
1) A virtual machine running Windows 10 Pro that I only use to administer shares
and permissions with a GUI.
2) A sparely used Windows notebook
Recently I nedded to set some new permissions. Happens once in a few months.
So I logged into the Windows 10 machine as DOMAIN\Administrator. That worked
fine.
But sadly I couldn't access my fileserver. Windows wouldn't show its
shares. And If I directly navigate to a share
("\\fileserver.ad.mydom.intranet\myshare"), it would show error
0x80004005.
After some hours I figured out the reason:
The DOMAIN\Administrator is mapped to root on the domain controller:
!root = DOMAIN\Administrator
The fileserver log shows:
make_server_info_info3: Username 'DOMAIN\Administrator' is invalid on
this system, it does not meet 'min domain uid' restriction (0 <
1000): NT_STATUS_INVALID_TOKEN
This made me find out about the fix for CVE-2020-25717:
https://www.samba.org/samba/security/CVE-2020-25717.html
It introduced a setting "min domain uid", which is 1000 by default. So
it excluded my Administrator being mapped to root.
If I add
min domain uid = 0
to the smb.conf of the fileserver, everything works fine again. :)
So I could manage the permissions and finish work. :)
But... This change was probably introduced for good reasons. And I worked around
it. What do you think?
Did I open up a horrible security hole?
What are the implications?
Should "DOMAIN\Administrator" actually never be mapped to root?
As far as I remember the set up years ago, some things didn't work without
that.
Thanks in advance for your advice!
Reginald
PS: I'd love to get rid of Windows entirely in this network. Is there a
smooth Linux console only way to administer share and folder permissions for
groups and users without the Windows GUI nowadays?
Andrew Bartlett
2022-May-27 21:54 UTC
[Samba] DOMAIN\Administrator mapped to root vs. CVE-2020-25717 fix including "min domain uid" = 1000
On Fri, 2022-05-27 at 23:12 +0200, Reginald via samba wrote:> Hi, > > I run a small Linux based network that uses Samba for login (AD) and SMB file sharing.You are fine. I may write more next week, but don't stress. Andrew, -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
Björn JACKE
2022-Jun-04 16:31 UTC
[Samba] DOMAIN\Administrator mapped to root vs. CVE-2020-25717 fix including "min domain uid" = 1000
On 2022-05-27 at 23:12 +0200 Reginald via samba sent off:> If I add > min domain uid = 0 > to the smb.conf of the fileserver, everything works fine again. :) > > So I could manage the permissions and finish work. :) > > But... This change was probably introduced for good reasons. And I worked around it. What do you think? > Did I open up a horrible security hole? > What are the implications? > Should "DOMAIN\Administrator" actually never be mapped to root?this reminds me of that old bug report https://bugzilla.samba.org/show_bug.cgi?id=9837 I still have hope that Andrew will remove his veto on the change so that we can finally get this properly by default for future setups. Bj?rn