[PATCH] s4/provision: don't mix local uid numbers with domain mappings

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

[PATCH] s4/provision: don't mix local uid numbers with domain mappings

Samba - samba-technical mailing list
From 514e4d8c57b9189a0a3dddcee1748db832f7b851 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Jacke?= <[hidden email]>
Date: Wed, 13 Dec 2017 14:38:03 +0100
Subject: [PATCH] s4/provision: don't mix local uid numbers with domain
 mappings

mixing local IDs with domain mapped IDs is a bad idea. Especially don't mess
with root's uid 0.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9837

Signed-off-by: Bjoern Jacke <[hidden email]>
---
 python/samba/provision/__init__.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py
index d95f46a..b63ef2e 100644
--- a/python/samba/provision/__init__.py
+++ b/python/samba/provision/__init__.py
@@ -786,8 +786,10 @@ def setup_name_mappings(idmap, sid, root_uid, nobody_uid,
     """
     idmap.setup_name_mapping("S-1-5-7", idmap.TYPE_UID, nobody_uid)
 
-    idmap.setup_name_mapping(sid + "-500", idmap.TYPE_UID, root_uid)
-    idmap.setup_name_mapping(sid + "-513", idmap.TYPE_GID, users_gid)
+    # we should not mess with local uid/gid numbers (especially not root's
+    # and the domain mappings, see bug 9837.
+    #idmap.setup_name_mapping(sid + "-500", idmap.TYPE_UID, root_uid)
+    #idmap.setup_name_mapping(sid + "-513", idmap.TYPE_GID, users_gid)
 
 
 def setup_samdb_partitions(samdb_path, logger, lp, session_info,
--
2.7.4


Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] s4/provision: don't mix local uid numbers with domain mappings

Samba - samba-technical mailing list
On Wed, 13 Dec 2017 14:42:51 +0100
Björn Jacke via samba-technical <[hidden email]> wrote:

> From 514e4d8c57b9189a0a3dddcee1748db832f7b851 Mon Sep 17 00:00:00 2001
> From: =?UTF-8?q?Bj=C3=B6rn=20Jacke?= <[hidden email]>
> Date: Wed, 13 Dec 2017 14:38:03 +0100
> Subject: [PATCH] s4/provision: don't mix local uid numbers with domain
>  mappings
>
> mixing local IDs with domain mapped IDs is a bad idea. Especially
> don't mess with root's uid 0.
>
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=9837
>
> Signed-off-by: Bjoern Jacke <[hidden email]>
> ---
>  python/samba/provision/__init__.py | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/python/samba/provision/__init__.py
> b/python/samba/provision/__init__.py index d95f46a..b63ef2e 100644
> --- a/python/samba/provision/__init__.py
> +++ b/python/samba/provision/__init__.py
> @@ -786,8 +786,10 @@ def setup_name_mappings(idmap, sid, root_uid,
> nobody_uid, """
>      idmap.setup_name_mapping("S-1-5-7", idmap.TYPE_UID, nobody_uid)
>  
> -    idmap.setup_name_mapping(sid + "-500", idmap.TYPE_UID, root_uid)
> -    idmap.setup_name_mapping(sid + "-513", idmap.TYPE_GID, users_gid)
> +    # we should not mess with local uid/gid numbers (especially not
> root's
> +    # and the domain mappings, see bug 9837.
> +    #idmap.setup_name_mapping(sid + "-500", idmap.TYPE_UID, root_uid)
> +    #idmap.setup_name_mapping(sid + "-513", idmap.TYPE_GID,
> users_gid)
>  
>  def setup_samdb_partitions(samdb_path, logger, lp, session_info,

You are probably starting to think I am a pain, but NAK on
Administrator not getting the ID '0', you are about to break half of
the installs (at least) by doing this.

The ssh problem isn't really a problem, you just have to remember to
ssh as 'root', not as Administrator. When on Unix, use 'root' and when
on Windows, use Administrator.

Rowland

Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] s4/provision: don't mix local uid numbers with domain mappings

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Wed, 2017-12-13 at 14:42 +0100, Björn Jacke via samba-technical
wrote:

> From 514e4d8c57b9189a0a3dddcee1748db832f7b851 Mon Sep 17 00:00:00 2001
> From: =?UTF-8?q?Bj=C3=B6rn=20Jacke?= <[hidden email]>
> Date: Wed, 13 Dec 2017 14:38:03 +0100
> Subject: [PATCH] s4/provision: don't mix local uid numbers with domain
>  mappings
>
> mixing local IDs with domain mapped IDs is a bad idea. Especially don't mess
> with root's uid 0.
>
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=9837
>
> Signed-off-by: Bjoern Jacke <[hidden email]>
> ---
>  python/samba/provision/__init__.py | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py
> index d95f46a..b63ef2e 100644
> --- a/python/samba/provision/__init__.py
> +++ b/python/samba/provision/__init__.py
> @@ -786,8 +786,10 @@ def setup_name_mappings(idmap, sid, root_uid, nobody_uid,
>      """
>      idmap.setup_name_mapping("S-1-5-7", idmap.TYPE_UID, nobody_uid)
>  
> -    idmap.setup_name_mapping(sid + "-500", idmap.TYPE_UID, root_uid)
> -    idmap.setup_name_mapping(sid + "-513", idmap.TYPE_GID, users_gid)
> +    # we should not mess with local uid/gid numbers (especially not root's
> +    # and the domain mappings, see bug 9837.
> +    #idmap.setup_name_mapping(sid + "-500", idmap.TYPE_UID, root_uid)
> +    #idmap.setup_name_mapping(sid + "-513", idmap.TYPE_GID, users_gid)
>  
>  
>  def setup_samdb_partitions(samdb_path, logger, lp, session_info,

My primary concern with this is will, after this, administrator have
the rights of root in terms of being able to override permissions on
the files owned by others?

Thanks,

Andrew Bartlett

--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT  
https://catalyst.net.nz/services/samba





Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] s4/provision: don't mix local uid numbers with domain mappings

Samba - samba-technical mailing list
On Thu, 14 Dec 2017 11:01:11 +1300
Andrew Bartlett via samba-technical <[hidden email]>
wrote:

> On Wed, 2017-12-13 at 14:42 +0100, Björn Jacke via samba-technical
> wrote:
> > From 514e4d8c57b9189a0a3dddcee1748db832f7b851 Mon Sep 17 00:00:00
> > 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Jacke?= <[hidden email]>
> > Date: Wed, 13 Dec 2017 14:38:03 +0100
> > Subject: [PATCH] s4/provision: don't mix local uid numbers with
> > domain mappings
> >
> > mixing local IDs with domain mapped IDs is a bad idea. Especially
> > don't mess with root's uid 0.
> >
> > BUG: https://bugzilla.samba.org/show_bug.cgi?id=9837
> >
> > Signed-off-by: Bjoern Jacke <[hidden email]>
> > ---
> >  python/samba/provision/__init__.py | 6 ++++--
> >  1 file changed, 4 insertions(+), 2 deletions(-)
> >
> > diff --git a/python/samba/provision/__init__.py
> > b/python/samba/provision/__init__.py index d95f46a..b63ef2e 100644
> > --- a/python/samba/provision/__init__.py
> > +++ b/python/samba/provision/__init__.py
> > @@ -786,8 +786,10 @@ def setup_name_mappings(idmap, sid, root_uid,
> > nobody_uid, """
> >      idmap.setup_name_mapping("S-1-5-7", idmap.TYPE_UID, nobody_uid)
> >  
> > -    idmap.setup_name_mapping(sid + "-500", idmap.TYPE_UID,
> > root_uid)
> > -    idmap.setup_name_mapping(sid + "-513", idmap.TYPE_GID,
> > users_gid)
> > +    # we should not mess with local uid/gid numbers (especially
> > not root's
> > +    # and the domain mappings, see bug 9837.
> > +    #idmap.setup_name_mapping(sid + "-500", idmap.TYPE_UID,
> > root_uid)
> > +    #idmap.setup_name_mapping(sid + "-513", idmap.TYPE_GID,
> > users_gid)
> >  
> >  def setup_samdb_partitions(samdb_path, logger, lp, session_info,
>
> My primary concern with this is will, after this, administrator have
> the rights of root in terms of being able to override permissions on
> the files owned by others?
>
> Thanks,
>
> Andrew Bartlett
>

As I understand it, if Administrator isn't mapped to root on a
newly provisioned DC, then nobody will be able to make any changes to
the DC from Windows.

This has come up a few times on the samba mailing list when people have
given Administrator a uidNumber that isn't '0'

Rowland

Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] s4/provision: don't mix local uid numbers with domain mappings

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On 2017-12-14 at 11:01 +1300 Andrew Bartlett via samba-technical sent off:
> My primary concern with this is will, after this, administrator have
> the rights of root in terms of being able to override permissions on
> the files owned by others?

of course, other domain admin members, who don't have uidNumber=0 would have
issues also otherwise. On the other hand there are plenty of problems when uid
0 randomly resolves to a non-root user with a home directory which is not
/root/. I'm a bit puzzed that you argue against this now after
https://bugzilla.samba.org/show_bug.cgi?id=9837 was reported in the early days
of Samba 4.0 (5 years ago), and you did never comment on it, not even after
Michael also mentioned that this should urgently be changed. On fileservers
there are file permissions and privileges to handle things right. Bringing up a
broken idmap configuration involving the messing up of the root user by default
to enable people to get admin rights on fileservers is really bad.

Björn
--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:[hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] s4/provision: don't mix local uid numbers with domain mappings

Samba - samba-technical mailing list
On Thu, 14 Dec 2017 11:53:46 +0100
Björn Jacke via samba-technical <[hidden email]> wrote:

> On 2017-12-14 at 11:01 +1300 Andrew Bartlett via samba-technical sent
> off:
> > My primary concern with this is will, after this, administrator have
> > the rights of root in terms of being able to override permissions on
> > the files owned by others?
>
> of course, other domain admin members, who don't have uidNumber=0
> would have issues also otherwise. On the other hand there are plenty
> of problems when uid 0 randomly resolves to a non-root user with a
> home directory which is not /root/. I'm a bit puzzed that you argue
> against this now after
> https://bugzilla.samba.org/show_bug.cgi?id=9837 was reported in the
> early days of Samba 4.0 (5 years ago), and you did never comment on
> it, not even after Michael also mentioned that this should urgently
> be changed. On fileservers there are file permissions and privileges
> to handle things right. Bringing up a broken idmap configuration
> involving the messing up of the root user by default to enable people
> to get admin rights on fileservers is really bad.
>
> Björn

Administrator only gets the ID '0' by default on a Samba DC, you have
to map Administrator to root manually on a Unix domain member.
I cannot think of any problems caused by mapping Administrator to root
on a DC, your problems seem to be self inflicted.

If you have ssh setup correctly, you cannot login as Administrator,
just as root cannot login.

Rowland