Re: [Samba] Samba 4 security

[Matthieu Patou]

On 01/12/2011 12:35, steve wrote:
On 01/12/11 00:37, Matthieu Patou wrote:
Hello Steve,
On 30/11/2011 19:52, steve wrote:
On 30/11/11 19:20, Matthieu Patou wrote:
Hello,

Each subfolder of /home is username:users. A file which is 0755
steve:users can be deleted by anyone. Samba 4 does not prompt for a
username and password when entering any share. This is just a plain
install of:
Where is the /home ? on the Samba 4 AD server ? mounted on the 
client ?

How did you created the subfolders ?


Can you give a detailed list of action to reproduce your problem ?


Matthieu.


I've tried both. In this example hh3 is the Samba server 192.168.1.3

smb.conf has:

[home]
path = /home
read only = no

/home has 2 users /home folders. /home/steve and /home/lynn both owned
by their respective steve:users and lynn:users. Both users were
created before Samba 4 was installed. Linux does not allow file
creation nor deleting between the 2 folders.

Well this points me already something wrong in what you have done.

Because its not because you have user steve and lynn in on the
Linux/Unix side, your users created in the active directory will not be
the same at all.

Then I suspect konq to implicitly use your linux user as the default smb
user and if the password match then you won't be prompted for a 
password.

In order to be sure you'd better do the test with smbclient.

For me smbclient didn't give me access if I don't put a password:


smbclient -L //zeus
Enter mat's password:
Anonymous login successful
Domain=[MATWS] OS=[Unix] Server=[Samba 4.0.0alpha18-DEVELOPERBUILD]

Sharename Type Comment
--------- ---- -------
home Disk
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service
zeus is an IPv6 address -- no workgroup available

smbclient //zeus/home
Enter mat's password:


so, on hh3:
login as steve

on konq do

smb://hh3

click on the home folder

enter the lynn folder

create a file (it shouldn't allow you)
delete a different file (it shouldn't allow you)

Now go over to anothersion client, 192.168.1.4
Login as someone different but not root.

repeat above.

The user on another physical box can also delete and create files in
either the lynn or steve home folders.

I suggest to make a trace with tcpdump in order to know which user konq
is using to authenticate you against the samba 4 server.

Apart from this you have to know the current file server for the Samba
AD (called samba4 so far) use full NT acls that are usually stored in
security.NTACL,
in the extended attributes, when this information is not present it uses
the the posix acls and posix rights and tries to translate them to their
NT acls equivalent.

It seems that here you have found a bug in the way the translation is 
done.


Matthieu.

Hi

Using my setup:

smbclient -L //hh3 does not work. It sits there forever. Server: 
hh3.site, domain HH1. Linux users lynn and steve who are also Samba 4 
users. The Linux /home folders is /home/lynn and /home/steve

This does:
steve@hh3:~> smbclient -L hh3
Password for [HH1\steve]:

        Sharename       Type       Comment
        ---------       ----       -------
        netlogon        Disk
        sysvol          Disk
        test            Disk
        homes           Disk
        IPC$            IPC        IPC Service
REWRITE: list servers not implemented

then, confirming what happens in a GUI:

So you are prompted for a password right ?

steve@hh3:~> smbclient //hh3/homes
Password for [HH1\steve]:
smb: \> ls
  .                                   D        0  Wed Nov 30 20:37:48 
2011
  ..                                  D        0  Thu Dec  1 12:03:46 
2011
  lynn                                D        0  Wed Nov 30 20:50:53 
2011
  steve                               D        0  Thu Dec  1 12:17:20 
2011

                29284192 blocks of size 512. 9509912 blocks available
smb: \> cd lynn
smb: \lynn\> ls
  .                                   D        0  Wed Nov 30 20:50:53 
2011
  ..                                  D        0  Wed Nov 30 20:37:48 
2011
  d                                   D        0  Wed Nov 30 20:50:53 
2011

                29284192 blocks of size 512. 9509912 blocks available
smb: \lynn\> rmdir d
smb: \lynn\> ls
  .                                   D        0  Thu Dec  1 12:21:17 
2011
  ..                                  D        0  Wed Nov 30 20:37:48 
2011

                29284192 blocks of size 512. 9509920 blocks available

smb: \lynn\> mkdir hello
smb: \lynn\> ls
  .                                   D        0  Thu Dec  1 12:25:22 
2011
  ..                                  D        0  Wed Nov 30 20:37:48 
2011
  hello                               D        0  Thu Dec  1 12:25:22 
2011

                29284192 blocks of size 512. 9509888 blocks available

It's the same using smbclient or konq.
Can you refresh, a change has been made to correct a bug.

Beware that on your machine where samba 4 DC is running file / folders 
needs to have guid/uid of your AD users not your linux users.

Matthieu.

--
Matthieu Patou
Samba Team
http://samba.org

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba