I don't want to call this a security problem. Since it isn't a code exploit, but, many people might have this problem.
The other day a user was removed from our SLES samba-3.0.28-0.6 domain due to inactivity, but he still needed his account, so I recreated it. I didn't try to restore the LDAP data, so he got a new SID, etc. I was amazed to find that once his userid was created, he was already (still) in the groups that he had been in before. It would be possible for you to delete a userid who is in Domain Admins, and then have someone else request that userid days or weeks later. That userid would probably be a member of the Domain Admins upon creation. After digging into what happened, as a Linux admin, this makes sense to me, but as a Windows admin, this "blows me away". I had assumed that SIDs were used in most places, but with a LDAP backend, group membership is stored by name, not by SID. In the smb.conf we are not using the smbldap-tools tools anymore and we have set: ldapsam:editposix = yes passdb backend = ldapsam:"ldap://127.0.0.1"; A solution to this problem might be for Samba to remove a user from all the groups before the account it deleted. (I will probably code this into our account cleanup scripts) This also means renaming an ID would be more involved than I (given a windows background) had assumed. We don't do it, but I had assumed that an account rename from usermanager would work. thanks, Bill Marshall -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
