samba - May 2009 - Surprising/Unexpected result after deleting and re-adding a user on our Samba domain

I don't want to call this a security problem. Since it isn't a code 
exploit, but, many people might have this problem.

The other day a user was removed from our SLES  samba-3.0.28-0.6 domain 
due to inactivity, but he still needed his account, so I recreated it. I 
didn't try to restore the LDAP data, so he got a new SID, etc. 

I was amazed to find that once his userid was created, he was already 
(still) in the groups that he had been in before.

It would be possible for you to delete a userid who is in Domain Admins, 
and then have someone else request that userid days or weeks later. That 
userid would probably be a member of the Domain Admins upon creation.

After digging into what happened, as a Linux admin, this makes sense to 
me, but as a Windows admin, this "blows me away". I had assumed that
SIDs
were used in most places, but with a LDAP backend, group membership is 
stored by name, not by SID.

In the smb.conf we are not using the smbldap-tools tools anymore and we 
have set:
 ldapsam:editposix = yes
 passdb backend = ldapsam:"ldap://127.0.0.1"

A solution to this problem might be for Samba to remove a user from all 
the groups before the account it deleted. (I will probably code this into 
our account cleanup scripts)

This also means renaming an ID would be more involved than I (given a 
windows background) had assumed. We don't do it, but I had assumed that an 
account  rename from usermanager would work.

thanks,
Bill Marshall

On Mon, 2009-05-18 at 15:12 -0500, William Marshall
wrote:
> I don't want to call this a security problem. Since it isn't a code
> exploit, but, many people might have this problem.
> 
> The other day a user was removed from our SLES  samba-3.0.28-0.6 domain 
> due to inactivity, but he still needed his account, so I recreated it. I 
> didn't try to restore the LDAP data, so he got a new SID, etc. 
> 
> I was amazed to find that once his userid was created, he was already 
> (still) in the groups that he had been in before.
> 
> It would be possible for you to delete a userid who is in Domain Admins, 
> and then have someone else request that userid days or weeks later. That 
> userid would probably be a member of the Domain Admins upon creation.
There is a good reason many security guides recommend never to reuse
userids or user/group uids :-)
> After digging into what happened, as a Linux admin, this makes sense to 
> me, but as a Windows admin, this "blows me away". I had assumed
that SIDs
> were used in most places, but with a LDAP backend, group membership is 
> stored by name, not by SID.
Unfortunately that's what rfc2307 provides, and even using rfc2307bis
wouldn't help as with the same userID you would come up with the same
DN.
> In the smb.conf we are not using the smbldap-tools tools anymore and we 
> have set:
>  ldapsam:editposix = yes
>  passdb backend = ldapsam:"ldap://127.0.0.1"
> 
> A solution to this problem might be for Samba to remove a user from all 
> the groups before the account it deleted. (I will probably code this into 
> our account cleanup scripts)
See below.
> This also means renaming an ID would be more involved than I (given a 
> windows background) had assumed. We don't do it, but I had assumed that
an
> account  rename from usermanager would work.
Yes, true, see: #6353 which is related, we need to enhance editposix to
handle group removals.

I will take this bug next w/e if nobody steps up before.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo@samba.org>
Principal Software Engineer at Red Hat, Inc. <simo@redhat.com>

Am Montag, 18. Mai 2009 22:12 schrieb William Marshall:
> I don't want to call this a security problem. Since it isn't a code
> exploit, but, many people might have this problem.
>
> The other day a user was removed from our SLES  samba-3.0.28-0.6
> domain due to inactivity, but he still needed his account, so I
> recreated it. I didn't try to restore the LDAP data, so he got a new
> SID, etc.
>
> I was amazed to find that once his userid was created, he was already
> (still) in the groups that he had been in before.
>
> It would be possible for you to delete a userid who is in Domain
> Admins, and then have someone else request that userid days or weeks
> later. That userid would probably be a member of the Domain Admins
> upon creation.
>
> After digging into what happened, as a Linux admin, this makes sense
> to me, but as a Windows admin, this "blows me away". I had
assumed
> that SIDs were used in most places, but with a LDAP backend, group
> membership is stored by name, not by SID.
And in openlap there is an other group model. If you use this, instead 
of posix and sids, then there may be a (easy) solution.

- use DN based group entries
- use the nss_schema switch in libnss-ldap.conf
- use the refint overlay in slapd.conf, see "man slapo-refint"

If you now rename or delete an account, the account-DN is modified or 
deleted in all groups.

> In the smb.conf we are not using the smbldap-tools tools anymore and
> we have set:
>  ldapsam:editposix = yes
>  passdb backend = ldapsam:"ldap://127.0.0.1"
>
> A solution to this problem might be for Samba to remove a user from
> all the groups before the account it deleted. (I will probably code
> this into our account cleanup scripts)
>
> This also means renaming an ID would be more involved than I (given a
> windows background) had assumed. We don't do it, but I had assumed
> that an account  rename from usermanager would work.
>
> thanks,
> Bill Marshall
-- 

Gruss
	Harry Jede