samba - Apr 2015 - Possible Security Hole (Bug?)

2015-04-17 10:01 GMT+02:00 Rowland Penny <rowlandpenny at
googlemail.com>:
> On 16/04/15 19:26, David Willis wrote:
>>
>> Thank you for the reply.
>>
>> Forgive me if I am not understanding correctly, but..
>>
>> I have heard conflicting reports about whether or not to assign UID to
>> DOM\administrator, even from threads read on these lists :)
>>
>> However, are DOM\administrator and local "root" not two
separate
>> accounts...? One domain admin, one "local" root/admin. So why
then would
>> winbind/samba see them as the "same" account...
>>
>> Especially  because even if UID is not assigned to DOM\administrator,
it
>> will still be assigned an arbitrary UID from the 3000000-4000000 range
via
>> idmap.ldb, no? So either way it's going to have a UID assigned...
But thru
>> idmap.ldb this may not be consistent between samba DCs as per the Samba
>> wiki... Which brings me back to why I assigned a UID via RFC2307 :)
>>
>> But I digress... I still don't see
>> A. Why samba/winbind would see DOM\administrator and local
"root" as the
>> same account, and
>> B. How DOM\administrator having a UID assigned via RFC2307 makes any
>> difference, as it will have SOME UID assigned anyway (by idmap.ldb if
not by
>> me), and in either case it will not be 0
>>
>> Last note... This was with a CONSOLE login that I was able to gain root
>> access... NOT via ssh... So I don't think sshd_config should play a
role
>> either here.
>>
>> Regards,
>>
>> David
>
>
> Hi, there are two separate points of view here, map 'Administrator'
to the
> 'root' user, or give 'Administrator' a uidNumber. If you do
the first then
> 'Administrator' can change directory settings on a Unix machine
from windows
> (profiles dir, file share dirs etc) without any problem. If you give
> 'Administrator' a uidNumber, then (s)he becomes just another Unix
user and
> will need to be given the rights to change ownership and mode of
> directories.
>
A design choice of Microsofts is to make the AD-group 'DOMAIN\Domain
Admins' member of the servers Administrators group during domain join.
If you, as a member of 'SERVER\Administrators' choose to remove the
Domain Admins is, of course, perfectly valid. As is making a domain
user account member of the servers administrators group. Or removing
from selected group. So in a sense one could say that
'DOMAIN\Administrator' is just another Windows/Unix user.

When Samba is set up as a file and/or printserver, you have to make
Unix aware of which domain user account/group that will have got
extraordinary rights. As you write.

Maybe one should change views and look at the Unix/Samba complex as a
virtual host where one of its guests is a file server that owns its
playground, the file system it shares. The guest, Samba, utilizes Unix
for its purpose. In that case Samba is contained and
'DOMAIN\Administrator' should have a uid-/gidNumber. All domain
accounts and groups should have their uid-/gidNumber set.

Regards
Davor
> Oh, and in answer to 'B', if you don't do anything,
'Administrator' is
> automatically mapped to root on a Samba4 AD DC.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Greetings, Davor Vusir!
>> Hi, there are two separate points of view here, map
'Administrator' to the
>> 'root' user, or give 'Administrator' a uidNumber. If
you do the first then
>> 'Administrator' can change directory settings on a Unix machine
from windows
>> (profiles dir, file share dirs etc) without any problem. If you give
>> 'Administrator' a uidNumber, then (s)he becomes just another
Unix user and
>> will need to be given the rights to change ownership and mode of
>> directories.
>>
> A design choice of Microsofts is to make the AD-group 'DOMAIN\Domain
> Admins' member of the servers Administrators group during domain join.
> If you, as a member of 'SERVER\Administrators' choose to remove the
> Domain Admins is, of course, perfectly valid. As is making a domain
> user account member of the servers administrators group. Or removing
> from selected group. So in a sense one could say that
> 'DOMAIN\Administrator' is just another Windows/Unix user.
> When Samba is set up as a file and/or printserver, you have to make
> Unix aware of which domain user account/group that will have got
> extraordinary rights. As you write.
> Maybe one should change views and look at the Unix/Samba complex as a
> virtual host where one of its guests is a file server that owns its
> playground, the file system it shares. The guest, Samba, utilizes Unix
> for its purpose. In that case Samba is contained and
> 'DOMAIN\Administrator' should have a uid-/gidNumber. All domain
> accounts and groups should have their uid-/gidNumber set.
# visudo -f /etc/sudoers.d/domain
# Members of the "domain admins" group may do about anything.
# And rightfully so.
%domain\x20admins ALL=(ALL:ALL) ALL

Apply liberally, where it is warranted.

But to the thoughts train, every user is just one user.
Mapping user to other user is creating a mess you don't want to solve
yourself.


-- 
With best regards,
Andrey Repin
Sunday, April 19, 2015 01:11:07

Sorry for my terrible english...

Hi Andrey,

2015-04-19 0:12 GMT+02:00 Andrey Repin <anrdaemon at
yandex.ru>:
> Greetings, Davor Vusir!
>
>>> Hi, there are two separate points of view here, map
'Administrator' to the
>>> 'root' user, or give 'Administrator' a uidNumber.
If you do the first then
>>> 'Administrator' can change directory settings on a Unix
machine from windows
>>> (profiles dir, file share dirs etc) without any problem. If you
give
>>> 'Administrator' a uidNumber, then (s)he becomes just
another Unix user and
>>> will need to be given the rights to change ownership and mode of
>>> directories.
>>>
>
>> A design choice of Microsofts is to make the AD-group
'DOMAIN\Domain
>> Admins' member of the servers Administrators group during domain
join.
>> If you, as a member of 'SERVER\Administrators' choose to remove
the
>> Domain Admins is, of course, perfectly valid. As is making a domain
>> user account member of the servers administrators group. Or removing
>> from selected group. So in a sense one could say that
>> 'DOMAIN\Administrator' is just another Windows/Unix user.
>
>> When Samba is set up as a file and/or printserver, you have to make
>> Unix aware of which domain user account/group that will have got
>> extraordinary rights. As you write.
>
>> Maybe one should change views and look at the Unix/Samba complex as a
>> virtual host where one of its guests is a file server that owns its
>> playground, the file system it shares. The guest, Samba, utilizes Unix
>> for its purpose. In that case Samba is contained and
>> 'DOMAIN\Administrator' should have a uid-/gidNumber. All domain
>> accounts and groups should have their uid-/gidNumber set.
>
> # visudo -f /etc/sudoers.d/domain
> # Members of the "domain admins" group may do about anything.
> # And rightfully so.
> %domain\x20admins ALL=(ALL:ALL) ALL
>
> Apply liberally, where it is warranted.
>
If there is a need to grant selected domain users elevated rights on
the Linux host. In this case root privilieges. This is one way of
doing it. Rowland mentioned another.
> But to the thoughts train, every user is just one user.
> Mapping user to other user is creating a mess you don't want to solve
> yourself.
>
Maybe so. I was merely trying to express a different view. Where Samba
is somewhat selfcontained and uses the Linuxhost as a vessel for its
purpose; file sharing for Windows. With that in mind, Rowland is right
when he sais that the domain adminstrator account becomes an ordinary
Unix user on the Linux host. For Samba its good enough.

Regards
Davor
>
> --
> With best regards,
> Andrey Repin
> Sunday, April 19, 2015 01:11:07
>
> Sorry for my terrible english...
>