idmap config range filter is not working for group ids
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
samba4 (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
We configure clients to use samba winbind for integrating into Active Directory.
The IDs of our AD-users and AD-groups start above 10.000 - so we set the filter to
idmap config COMPANY : range = 10000-165000
Unfortunately, all AD-users get the AD-membership of group 1001 which is an Active Directory BUILTIN-group:
getent -s winbind group 1001
BUILTIN\
But since there exists a local user with id 1001 and also its group id 1001, all AD users within AD group 1001 (BUILTIN\users) are in the local group 1001 what is not wanted.
I changed the order in /etc/nsswitch.conf from
passwd: files winbind systemd
group: files winbind systemd
to
passwd: winbind systemd files
group: winbind systemd files
and it is working as expected!
The question is, if it is right to change this behavior in nsswitch.conf like I did, or if the idmap config range should filter these lower ids around 1000?
smb.conf:
[global]
workgroup = COMPANY
realm = COMPANY.DE
security = ads
kerberos method = secrets and keytab
server role = member server
local master = no
domain master = no
disable netbios = yes
log level = 3
idmap config * : backend = tdb
idmap config * : range = 1000-5000
idmap config COMPANY : backend = ad
idmap config COMPANY : range = 10000-165000
idmap config COMPANY : schema_mode = rfc2307
idmap config COMPANY : unix_nss_info = no
idmap config COMPANY : unix_primary_group = yes
template homedir = /home/%U
template shell = /bin/bash
winbind use default domain = yes
winbind refresh tickets = yes
winbind offline logon = yes
winbind enum users = yes
winbind enum groups = yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
inherit permissions = Yes
inherit acls = Yes
acl group control = yes
nt acl support = yes
server string = %h server (Samba, Ubuntu)
log file = /var/log/
max log size = 1000
logging = file
panic action = /usr/share/
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\
pam password change = yes
map to guest = bad user
usershare allow guests = yes
summary: |
- idmap config range filter is not working anymore + idmap config range filter is not working |
summary: |
- idmap config range filter is not working + idmap config range filter is not working for group ids |
Ok, I correct myself - it's not good to change the order in nsswitch.conf!
After preferring winbind first, local users in local group 1000 are resolved as "BUILTIN\ administrators" in AD and local users in local group 1001 are in the domain group "BUILTIN\users", which is not wanted and could be a security problem.
Not changing the order resolves users, who are in the domain group 1001 ("BUILTIN\users") to a local group 1001, which is not wanted too!
So I think we have a security problem here as long as I'm not doing something wrong with the config.
My solution now is to change the id for local users and groups to a higher one, that is not used in AD and to change permissions accordingly.