idmap config range filter is not working for group ids

Bug #1988850 reported by Alexander Fieroch
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
samba4 (Ubuntu)
New
Undecided
Unassigned

Bug Description

We configure clients to use samba winbind for integrating into Active Directory.
The IDs of our AD-users and AD-groups start above 10.000 - so we set the filter to
  idmap config COMPANY : range = 10000-165000
Unfortunately, all AD-users get the AD-membership of group 1001 which is an Active Directory BUILTIN-group:

  getent -s winbind group 1001
  BUILTIN\users:x:1001:

But since there exists a local user with id 1001 and also its group id 1001, all AD users within AD group 1001 (BUILTIN\users) are in the local group 1001 what is not wanted.

I changed the order in /etc/nsswitch.conf from

passwd: files winbind systemd
group: files winbind systemd

to

passwd: winbind systemd files
group: winbind systemd files

and it is working as expected!

The question is, if it is right to change this behavior in nsswitch.conf like I did, or if the idmap config range should filter these lower ids around 1000?

smb.conf:

[global]
  workgroup = COMPANY
  realm = COMPANY.DE
  security = ads
  kerberos method = secrets and keytab
  server role = member server
  local master = no
  domain master = no
  disable netbios = yes
  log level = 3
  idmap config * : backend = tdb
  idmap config * : range = 1000-5000
  idmap config COMPANY : backend = ad
  idmap config COMPANY : range = 10000-165000
  idmap config COMPANY : schema_mode = rfc2307
  idmap config COMPANY : unix_nss_info = no
  idmap config COMPANY : unix_primary_group = yes
  template homedir = /home/%U
  template shell = /bin/bash
  winbind use default domain = yes
  winbind refresh tickets = yes
  winbind offline logon = yes
  winbind enum users = yes
  winbind enum groups = yes
  vfs objects = acl_xattr
  map acl inherit = yes
  store dos attributes = yes
  inherit permissions = Yes
  inherit acls = Yes
  acl group control = yes
  nt acl support = yes
  server string = %h server (Samba, Ubuntu)
  log file = /var/log/samba/log.%m
  max log size = 1000
  logging = file
  panic action = /usr/share/samba/panic-action %d
  obey pam restrictions = yes
  unix password sync = yes
  passwd program = /usr/bin/passwd %u
  passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
  pam password change = yes
  map to guest = bad user
  usershare allow guests = yes

summary: - idmap config range filter is not working anymore
+ idmap config range filter is not working
summary: - idmap config range filter is not working
+ idmap config range filter is not working for group ids
Revision history for this message
Alexander Fieroch (fieroch) wrote :

Ok, I correct myself - it's not good to change the order in nsswitch.conf!

After preferring winbind first, local users in local group 1000 are resolved as "BUILTIN\administrators" in AD and local users in local group 1001 are in the domain group "BUILTIN\users", which is not wanted and could be a security problem.
Not changing the order resolves users, who are in the domain group 1001 ("BUILTIN\users") to a local group 1001, which is not wanted too!

So I think we have a security problem here as long as I'm not doing something wrong with the config.

My solution now is to change the id for local users and groups to a higher one, that is not used in AD and to change permissions accordingly.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.