Stang, Sharol
2007-Aug-10 16:41 UTC
[Samba] Samba and winbind with LDAP IDMAP backend - user connects with Domain Admin permissions
Hi,
Please Help! My normal users are able to gain access to all home
directories even though the group owner is Domain Admins. I have set the
permissions to 770 while testing and the group to Domain Admin on all
directories.
I have a Server2003 AD Domain with a clustered RHEL5 samba server for
the home directory. I am using samba 3.0.23 with Winbind and LDAP idmap
backend. This server is still in testing to replace a RH9 samba server.
Below I have listed the ID of three users. One is Domain Admin the
others are normal users. The logs show the users initially logging in
with Domain Admins rights! (GID 5004) I tried creating another group
called DADMIN and changing the ownership to that and had the same
result! It user would connects initially as group DADMIN.
id w11350
uid=5213(w11350) gid=5004(Domain Admins) groups=5004(Domain
Admins),5000(Domain Users),
5117(BUILTIN\administrators),5118(BUILTIN\users)
ls -l |grep w11350
drwxrwx--- 14 w11350 Domain Admins 4096 Aug 9 12:52 w11350
id w11664
uid=5598(w11664) gid=5000(Domain Users) groups=5000(Domain
Users,5118(BUILTIN\users)
ls -l |grep w11664
drwxrwx--- 3 w11664 Domain Admins 4096 Aug 8 15:31 w11664
/var/log/samba/24001wk001.log
24001wk001 (x.151.18.23) signed connect to service users initially as
user w11664 (uid=5598, gid=5004) (pid 5802)
id w10828
uid=6007(w10828) gid=5000(Domain Users) groups=5000(Domain
Users),5118(BUILTIN\users)
ls -l |grep w10828
drwxrwx--- 18 w10828 Domain Admins 4096 Jun 13 08:06 w10828
/var/log/samba/24001wk226.log
24001wk226 (x.151.19.7) signed connect to service users initially as
user w10828 (uid=6007, gid=5004) (pid 23707)
I edited out the company names, but here is the smb.conf
[global]
workgroup = DOMAIN
realm = COMPANY.COM
netbios name = HSA-SMB
server string = HSA-SMB
interfaces = x.151.1.200
bind interfaces only = Yes
security = ADS
client schannel = No
password server = x.151.1.25 x.151.1.21
username map = /etc/samba/smbusers
log file = /var/log/samba/%m.log
smb ports = 445
name resolve order = host wins bcast
server signing = auto
client use spnego = Yes
preferred master = No
local master = No
domain master = No
ldap admin dn = CN=Manager,DC=company,DC=com
ldap idmap suffix = ou=Idmap
ldap suffix = DC=company,DC=com
ldap ssl = no
lock directory = /var/cache/samba/HSA-SMB
pid directory = /var/run/samba/HSA-SMB
idmap backend = ldap:ldap://x.151.1.102
idmap uid = 5000-10000
idmap gid = 5000-10000
winbind cache time = 5
winbind use default domain = Yes
winbind nested groups = Yes
winbind enum users = Yes
winbind enum groups = Yes
[users]
comment = user's home directory
path = /mnt/cluster/home/users
force group = "Domain Admins"
create mask = 0770
directory mask = 0770
browseable = No
read only = No
Thank you so much for your help!
-sharol
simo
2007-Aug-10 17:16 UTC
[Samba] Samba and winbind with LDAP IDMAP backend - user connects with Domain Admin permissions
On Fri, 2007-08-10 at 09:40 -0700, Stang, Sharol wrote:> > [users] > > comment = user's home directory > > path = /mnt/cluster/home/users > > force group = "Domain Admins"So if you force _everybody_ to be "Domain Admins" why do you expect them not to be able to access something owned by "Domain Admins" ? Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: idra@samba.org http://samba.org