Bug 14801 - [SECURITY] Samba as a file server in an AD Domain without winbindd needs to trust usernames less
Summary: [SECURITY] Samba as a file server in an AD Domain without winbindd needs to t...
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.15.0rc2
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks: CVE-2020-25717
  Show dependency treegraph
 
Reported: 2021-08-18 10:21 UTC by Andrew Bartlett
Modified: 2022-09-18 20:39 UTC (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2021-08-18 10:21:47 UTC 
This is one aspect of bug 14556, that we attempt to operate on systems that do not run winbindd for NSS via string-based name mapping.

This turns out to be quite dangerous in AD, even with the samAccountName inside the PAC to trust.  

This runs the risk that the DC could present us a username, inside the PAC, of "root" or other system users.

We should not trust the AD DC that far - if we don't run winbindd we may well be in a situation where the AD DC is a central (eg university central IT) DC, but that authorization occurs locally (eg in a department). 

The expectation is that only locally created users can log in, but the ability for users to be named "root" is unexpected.   However standard AD permissions allow rename of accounts by the user who created them, who may not be locally trusted.

We could add a new smb.conf option "minimum domain UID" defaulting to 1000, to mark system users as off limits.
Comment 1 Andrew Bartlett 2021-09-21 08:34:05 UTC 
In this issue what I mean by "do not run winbindd for NSS" is that nss_winbind is not referenced in nsswitch.conf and users come from another LDAP or /etc/passwd
Comment 2 Andrew Bartlett 2021-11-03 04:09:21 UTC 
"min domain uid" is implemented in the security patch set.

Opening this bug to vendors.
Comment 3 Samba QA Contact 2021-11-09 18:19:08 UTC 
This bug was referenced in samba v4-15-stable (Release samba-4.15.2):

af86793af77ab0dfe1c0a9740820c52b435d993d
c1bf56f314667ee3c5399576a45b74346d4c7f2e
a92da791615cd42ce28c679aba1c18a1ef2b5eb8
210b3e36f76d7251714aa48af2319496b907db11
1ec930b2f584ef012cd84d3d7ae265719de1b878
325942e4e78cccac5456a831375b881d5f80b4c0
e40a1d46831be8b6125b76b511bb24582e8a13e9
651b74b12b9d995f442fd02e90ca0a1ce12d4a52
39b060eeea6d364c7b7b575fda7a6877ce6e2a9a
58a1cc488ce20f7cd3c9013e9b8ec3163a25075e
3efb9d684d957f0e08c4fd537b0916b02cb73ceb
e4172baf12205881098e42e502b0fc8d961e6601
7b9920b382ac57b045e46fa113a9c4a9da782b68
093c5502ab41f068dbc222854caf9cca14d4c157
fb5ca61f54412dcf24c4f20dd1dd4639838fbfab
9cb158a9a53de11a7f0959d30be28b9f09b41469
Comment 4 Samba QA Contact 2021-11-09 18:23:50 UTC 
This bug was referenced in samba v4-13-stable (Release samba-4.13.14):

d7a295b97e4321e9e98b3ff61b8bfb1250ff672e
2966b61522e05753ad1c6f10d1b573576afc4b15
b9d8f8025b7122cab64c37e5042866c66b556016
37c2f73cc958003fbba479d6d4d7c003f5d88fd6
eea64478862bc5bffea84f0eb78bf541620293fb
c703f7a5642174d0e52aec91a6817d5cc56f47ab
ce47a81eb5f79dd3f54b300f6a9a7ccac9c1296a
885fe6e31b107b3a6362cde0785e6d886888e0ec
d079628a43f845522598be7efa0abf5e478549c6
844faf2f0ac5d21d65f452fb6f4d1b19bb0a2be2
b0031f531850e6cd4e674be45da54307f3e4360b
e8e0bea9b333315ec1ff9eb1d36d4e810ca95941
39cf01d0d26608065dc071d58fea4cfd8d51bf02
eba5e1321830624e6e42d248616f651beb0d3b99
e95392aa08f3cc421998648c584af5bab89e4ad6
9f73360e17d1e519d25cb4b60d7506fca9fd02fe
131d5ceb9deaaa1d8dd478a9b2e2556133c511aa
Comment 5 Samba QA Contact 2021-11-09 18:42:12 UTC 
This bug was referenced in samba v4-15-test:

af86793af77ab0dfe1c0a9740820c52b435d993d
c1bf56f314667ee3c5399576a45b74346d4c7f2e
a92da791615cd42ce28c679aba1c18a1ef2b5eb8
210b3e36f76d7251714aa48af2319496b907db11
1ec930b2f584ef012cd84d3d7ae265719de1b878
325942e4e78cccac5456a831375b881d5f80b4c0
e40a1d46831be8b6125b76b511bb24582e8a13e9
651b74b12b9d995f442fd02e90ca0a1ce12d4a52
39b060eeea6d364c7b7b575fda7a6877ce6e2a9a
58a1cc488ce20f7cd3c9013e9b8ec3163a25075e
3efb9d684d957f0e08c4fd537b0916b02cb73ceb
e4172baf12205881098e42e502b0fc8d961e6601
7b9920b382ac57b045e46fa113a9c4a9da782b68
093c5502ab41f068dbc222854caf9cca14d4c157
fb5ca61f54412dcf24c4f20dd1dd4639838fbfab
9cb158a9a53de11a7f0959d30be28b9f09b41469
Comment 6 Samba QA Contact 2021-11-09 18:47:58 UTC 
This bug was referenced in samba v4-14-stable (Release samba-4.14.10):

5a5b1a06d6de8d1ffb4b1db4a7f575d8b1c168c2
e31b6f6094403d1186835af4e8385e988c19a4e5
adb6620043d4113a350ea24369f00246ea6410d4
e43275fc182c6bc39faf71ac4c007c71013b4748
7ca428223f522bd959be8e564432afcf5ea37ed8
a624a73ce46bbca579411a26581394ea72ae9d09
39c834af93813c736d002a0669fdf01dfc2e5241
8aeac144220949bb4a9c2fb5aacfead6133f9ed9
c3c49ceeb7991f9851e616a901e2f601ff796c3e
6280d99de7d0f761842a5ab37a6253aefa237344
9c66eacf637bc25e7720ba0d2b2f9763639f6e8c
cc1c47f1679b85c8860b2ee05c3f45b7b667ccef
c219b832d96b582aa5b81f0cec31ab432d6469e4
151b6145e1c0cb360b088dfc4e41982854fc2c9d
f2aafe556290e9944cc03146084e8f3991fcd06b
3cceba46aa5e93d65d529f4ec76fa19fe17244c6
e5f10558e0861fe16eee40485c5b520b039f0d24
Comment 7 Samba QA Contact 2021-11-09 18:55:16 UTC 
This bug was referenced in samba v4-13-test:

d7a295b97e4321e9e98b3ff61b8bfb1250ff672e
2966b61522e05753ad1c6f10d1b573576afc4b15
b9d8f8025b7122cab64c37e5042866c66b556016
37c2f73cc958003fbba479d6d4d7c003f5d88fd6
eea64478862bc5bffea84f0eb78bf541620293fb
c703f7a5642174d0e52aec91a6817d5cc56f47ab
ce47a81eb5f79dd3f54b300f6a9a7ccac9c1296a
885fe6e31b107b3a6362cde0785e6d886888e0ec
d079628a43f845522598be7efa0abf5e478549c6
844faf2f0ac5d21d65f452fb6f4d1b19bb0a2be2
b0031f531850e6cd4e674be45da54307f3e4360b
e8e0bea9b333315ec1ff9eb1d36d4e810ca95941
39cf01d0d26608065dc071d58fea4cfd8d51bf02
eba5e1321830624e6e42d248616f651beb0d3b99
e95392aa08f3cc421998648c584af5bab89e4ad6
9f73360e17d1e519d25cb4b60d7506fca9fd02fe
131d5ceb9deaaa1d8dd478a9b2e2556133c511aa
Comment 8 Samba QA Contact 2021-11-09 19:19:21 UTC 
This bug was referenced in samba v4-14-test:

5a5b1a06d6de8d1ffb4b1db4a7f575d8b1c168c2
e31b6f6094403d1186835af4e8385e988c19a4e5
adb6620043d4113a350ea24369f00246ea6410d4
e43275fc182c6bc39faf71ac4c007c71013b4748
7ca428223f522bd959be8e564432afcf5ea37ed8
a624a73ce46bbca579411a26581394ea72ae9d09
39c834af93813c736d002a0669fdf01dfc2e5241
8aeac144220949bb4a9c2fb5aacfead6133f9ed9
c3c49ceeb7991f9851e616a901e2f601ff796c3e
6280d99de7d0f761842a5ab37a6253aefa237344
9c66eacf637bc25e7720ba0d2b2f9763639f6e8c
cc1c47f1679b85c8860b2ee05c3f45b7b667ccef
c219b832d96b582aa5b81f0cec31ab432d6469e4
151b6145e1c0cb360b088dfc4e41982854fc2c9d
f2aafe556290e9944cc03146084e8f3991fcd06b
3cceba46aa5e93d65d529f4ec76fa19fe17244c6
e5f10558e0861fe16eee40485c5b520b039f0d24
Comment 9 Samba QA Contact 2021-11-09 20:38:17 UTC 
This bug was referenced in samba master:

9fe1b719e1b35ae4053cbb13f29f76f4b2f950ef
b39b698cdac9ef97d018d6f02d59493ec5bff6e6
6771b2f211f6f5ae08d94a75afb7c6109f65497d
14b9f905da196e4e1904e4d4b0dec6192e76ab61
97d54027910b7d3fa04bd6c1b72448a85cdf5d7c
4b78ad7346c7128142a65ce6d6625d3d28116882
28fae9c2215698e465201b6ad27eb9eeb55c906a
dd0423bfbbce2d9f1f8a62c21cf612e5c755b616
8f79ee99a6a3390ccb409ac1b5f543488e7bd784
52190982de134fb55abce76def0609651e45012e
57abb7f8f8884f52f1d194c5c74e067aecd0d3dd
e2d5b4d709293b52112d078d6fcde95593d790c5
e2d271cb6bcd292f786664f055cde41c32002804
935feff8e54cef9b379f653a3198a5bbd3a64989
bd8d06ff155fb831cd8d487eabfbc69743d12252
c4ddf939e0ee2b9ae1af8b2ff8344fc9c7118adf
Comment 10 Andrew Bartlett 2021-11-09 20:55:39 UTC 
The patches addressing this issue have been pushed to master and security releases made.