There is a samba compiled without winbind support, with the following options configured: workgroup = MYDOMAIN security = domain allow trusted domains = yes add user script = /usr/sbin/pw useradd %u -m -Y -M 755 When a Windows user MYDOMAIN\john connects to the samba server, he is mapped to the Unix user john. If there is no Unix user "john", it is created by the add user script. How will the users OTHERDOMAIN\otheruser and especially OTHERDOMAIN\join be mapped/created? If OTHERDOMAIN\join is mapped to the same Unix user as MYDOMAIN\join, it's a big security hole. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:sudakov at sibptus.tomsk.ru
As written in http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html "Where winbindd is not used Samba (smbd) uses the underlying UNIX/Linux mechanisms to resolve the identity of incoming network traffic. This is done using the LoginID (account name) in the session setup request and passing it to the getpwnam() system function call. This call is implemented using the name service switch (NSS) mechanism on modern UNIX/Linux systems. By saying "users and groups are local," we are implying that they are stored only on the local system, in the /etc/passwd and /etc/group respectively. For example, when the user BERYLIUM\WambatW tries to open a connection to a Samba server the incoming SessionSetupAndX request will make a system call to look up the user WambatW in the /etc/passwd file. " My question: if BERYLIUM trusts ANOTHERDOMAIN, and ANOTHERDOMAIN\WambatW tries to open a connection to my Samba server, what user will be looked up in /etc/passwd? Victor Sudakov wrote:> There is a samba compiled without winbind support, with the following > options configured: > > workgroup = MYDOMAIN > security = domain > allow trusted domains = yes > add user script = /usr/sbin/pw useradd %u -m -Y -M 755 > > When a Windows user MYDOMAIN\john connects to the samba server, he is > mapped to the Unix user john. If there is no Unix user "john", it is > created by the add user script. > > How will the users OTHERDOMAIN\otheruser and especially > OTHERDOMAIN\join be mapped/created? > > If OTHERDOMAIN\join is mapped to the same Unix user as MYDOMAIN\join, > it's a big security hole. > > -- > Victor Sudakov, VAS4-RIPE, VAS47-RIPN > sip:sudakov at sibptus.tomsk.ru > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:sudakov at sibptus.tomsk.ru
Victor Sudakov wrote:> > My question: if BERYLIUM trusts ANOTHERDOMAIN, and > ANOTHERDOMAIN\WambatW tries to open a connection to my Samba server, > what user will be looked up in /etc/passwd?If nobody knows the answer, please tell me at least, what log I can study to figure out, which Windows user is mapped to which Unix user by smbd? Eventually, I would like to map all users from trusted domains to the guest account, it that possible? -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:sudakov at sibptus.tomsk.ru
On Mon, 2012-02-27 at 14:07 +0700, Victor Sudakov wrote:> As written in http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html > > "Where winbindd is not used Samba (smbd) uses the underlying > UNIX/Linux mechanisms to resolve the identity of incoming network > traffic. This is done using the LoginID (account name) in the session > setup request and passing it to the getpwnam() system function call. > This call is implemented using the name service switch (NSS) mechanism > on modern UNIX/Linux systems. By saying "users and groups are local," > we are implying that they are stored only on the local system, in the > /etc/passwd and /etc/group respectively. > > For example, when the user BERYLIUM\WambatW tries to open a connection > to a Samba server the incoming SessionSetupAndX request will make a > system call to look up the user WambatW in the /etc/passwd file. " > > My question: if BERYLIUM trusts ANOTHERDOMAIN, and > ANOTHERDOMAIN\WambatW tries to open a connection to my Samba server, > what user will be looked up in /etc/passwd?It should be: ANOTHERDOMAIN\WambatW -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org