Bug 10361 - Functional levels can be raised with any domain account through samba-tool
Functional levels can be raised with any domain account through samba-tool
Status: RESOLVED INVALID
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB
4.1.3
x64 Linux
: P5 normal
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-01-07 11:31 UTC by Marc Muehlfeld
Modified: 2014-01-07 14:16 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marc Muehlfeld 2014-01-07 11:31:59 UTC
The MS documentation says, to raise the forest functional level, you must be member of the "Enterprise Admins" group (http://technet.microsoft.com/en-us/library/cc730985.aspx). And to raise the domain functional level, you must be additionally be member of "Domain Admins" (http://technet.microsoft.com/en-us/library/cc753104.aspx).


But samba-tools allows to raise both levels with any domain account:

# kdestroy

# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)

# samba-tool domain level raise --domain-level=2008_R2 -U demo3
Domain function level changed!
All changes applied successfully!

# samba-tool domain level raise --forest-level=2008_R2 -U demo3
Forest function level changed!
All changes applied successfully!


The domain account "demo3" I've used, is only in the group "Domain Users".

Also samba-tool did not request any password for the account I've used.


The only thing that prevents normal users to raise the levels, is that you have to be root, because the secrets.ldb isn't mode 600. But if you have root permissions on any DC, you can raise the levels with every domain account.
Comment 1 Björn Baumbach 2014-01-07 12:13:52 UTC
This is not a bug, this is by design.
If you have sufficient access to the database files you can use samba-tool to make changes in the database.
Like e.g. samba-tool user add ...

The -U option is ignored in this case. But is honoured in combination with the -H option.

Björn
Comment 2 Marc Muehlfeld 2014-01-07 12:37:27 UTC
Hello Björn,

(In reply to comment #1)
> This is not a bug, this is by design.
> If you have sufficient access to the database files you can use samba-tool to
> make changes in the database.
> Like e.g. samba-tool user add ...

I didn't knew that and the --help option doesn't give a hint on that. Maybe a note can be added, like

    -U USERNAME, --username=USERNAME
                 Parameter is only used in conjunction with -H




> The -U option is ignored in this case. But is honoured in combination with the
> -H option.

If I use -U ... -H, then only members of the Domain Admin groups can raise the two levels.

But if samba-tool should act according to the MS documentation in that case, the raise of forest levels should require Enterprise Admin group membership, too.
Comment 3 Björn Baumbach 2014-01-07 14:08:41 UTC
(In reply to comment #2)
> If I use -U ... -H, then only members of the Domain Admin groups can raise the
> two levels.

Thank you for the verification.

> But if samba-tool should act according to the MS documentation in that case,

The samba-tool is just a tool like "net" and should not act according to the MS documentation in that case. You can use it locally to manipulate the databases directly or over the "network" via ldap/rpc/...

Björn
Comment 4 Marc Muehlfeld 2014-01-07 14:16:00 UTC
(In reply to comment #3)
> > But if samba-tool should act according to the MS documentation in that case,
> 
> The samba-tool is just a tool like "net" and should not act according to the MS
> documentation in that case. You can use it locally to manipulate the databases
> directly or over the "network" via ldap/rpc/...


Thanks for that information.

Maybe you can add that note to the samba-tool manpage. Currently there is just one sentence below "description". This could clarify some things for other users, too.