Am Montag, 18. Mai 2009 22:12 schrieb William Marshall: > I don't want to call this a security problem. Since it isn't a code > exploit, but, many people might have this problem. > > The other day a user was removed from our SLES samba-3.0.28-0.6 > domain due to inactivity, but he still needed his account, so I > recreated it. I didn't try to restore the LDAP data, so he got a new > SID, etc. > > I was amazed to find that once his userid was created, he was already > (still) in the groups that he had been in before. > > It would be possible for you to delete a userid who is in Domain > Admins, and then have someone else request that userid days or weeks > later. That userid would probably be a member of the Domain Admins > upon creation. > > After digging into what happened, as a Linux admin, this makes sense > to me, but as a Windows admin, this "blows me away". I had assumed > that SIDs were used in most places, but with a LDAP backend, group > membership is stored by name, not by SID. And in openlap there is an other group model. If you use this, instead of posix and sids, then there may be a (easy) solution.
- use DN based group entries - use the nss_schema switch in libnss-ldap.conf - use the refint overlay in slapd.conf, see "man slapo-refint" If you now rename or delete an account, the account-DN is modified or deleted in all groups. > In the smb.conf we are not using the smbldap-tools tools anymore and > we have set: > ldapsam:editposix = yes > passdb backend = ldapsam:"ldap://127.0.0.1"; > > A solution to this problem might be for Samba to remove a user from > all the groups before the account it deleted. (I will probably code > this into our account cleanup scripts) > > This also means renaming an ID would be more involved than I (given a > windows background) had assumed. We don't do it, but I had assumed > that an account rename from usermanager would work. > > thanks, > Bill Marshall -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
