On Mon, 2009-05-18 at 15:12 -0500, William Marshall wrote: > I don't want to call this a security problem. Since it isn't a code > exploit, but, many people might have this problem. > > The other day a user was removed from our SLES samba-3.0.28-0.6 domain > due to inactivity, but he still needed his account, so I recreated it. I > didn't try to restore the LDAP data, so he got a new SID, etc. > > I was amazed to find that once his userid was created, he was already > (still) in the groups that he had been in before. > > It would be possible for you to delete a userid who is in Domain Admins, > and then have someone else request that userid days or weeks later. That > userid would probably be a member of the Domain Admins upon creation.
There is a good reason many security guides recommend never to reuse userids or user/group uids :-) > After digging into what happened, as a Linux admin, this makes sense to > me, but as a Windows admin, this "blows me away". I had assumed that SIDs > were used in most places, but with a LDAP backend, group membership is > stored by name, not by SID. Unfortunately that's what rfc2307 provides, and even using rfc2307bis wouldn't help as with the same userID you would come up with the same DN. > In the smb.conf we are not using the smbldap-tools tools anymore and we > have set: > ldapsam:editposix = yes > passdb backend = ldapsam:"ldap://127.0.0.1"; > > A solution to this problem might be for Samba to remove a user from all > the groups before the account it deleted. (I will probably code this into > our account cleanup scripts) See below. > This also means renaming an ID would be more involved than I (given a > windows background) had assumed. We don't do it, but I had assumed that an > account rename from usermanager would work. Yes, true, see: #6353 which is related, we need to enhance editposix to handle group removals. I will take this bug next w/e if nobody steps up before. Simo. -- Simo Sorce Samba Team GPL Compliance Officer <[email protected]> Principal Software Engineer at Red Hat, Inc. <[email protected]> -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
