Another problem with NT/WinDD/Samba

From: pe...@nmti.com (Peter da Silva)
Subject: Another problem with NT/WinDD/Samba
Date: 1995/07/28
Message-ID: <id.2S_L1.E92@nmti.com>#1/1
X-Deja-AN: 107052190
sender: pe...@nmti.com (peter da silva)
organization: Network/development platform support, NMTI
newsgroups: comp.protocols.smb

Security problem with NT, WinDD, and Samba.

Situation:

	Multiple users concurrintly on an NT box.
	One user logs onto a Samba drive.
	A second user logs onto the same drive.
	NT doesn't request the password again.

	Either:

		1. NT is reusing the same connection.
		2. NT is reusing the password.
		3. Samba is noting "this came from the same machine
			as last time, I trust it."

Anyone got any ideas?

Unlike the other user, I'm not having the problem with it providing access
to all the homes.
-- 
Peter da Silva    (NIC: PJD2)                             `-_-'
Network Management Technology Incorporated                 'U`
1601 Industrial Blvd.     Sugar Land, TX  77478  USA
+1 713 274 5180                                "Har du kramat din varg idag?"

From: jer...@netcom.com (Jeremy Allison)
Subject: Re: Another problem with NT/WinDD/Samba
Date: 1995/08/04
Message-ID: <jeremyDCt0Mz.4p0@netcom.com>#1/1
X-Deja-AN: 107566444
sender: jer...@netcom7.netcom.com
references: <id.2S_L1.E92@nmti.com> <3vcdpd$d7n@news.austria.eu.net> 
<id.C21M1.BA5@nmti.com>
organization: NETCOM On-line Communication Services (408 261-4700 guest)
newsgroups: comp.protocols.smb

I have been doing some analysis on a similar problem
and I believe it is a Samba bug - not a WinDD problem.
The good news is I have a fix !

I have recently upgraded to NT3.51 - this allows an su
command to create two cmd windows on the same user session
that are running in different user contexts. When I do this
I find a problem as follows.

In cmd 1) - running as user jra.
C:\> net use x: \\server\jra

The command completed successfully
x:
X:\> echo >testfile

Checking on the UNIX server I find file testfile in my
home directory is owned by jra - all well and good.

Now I switch to cmd2) - running as administrator (note
that samba has the usermap setup to do the mapping from
username Administrator -> root).

C:\> X:
X:\> echo >test-admin

Checking on the UNIX server I find file test-admin in my
home directory is also owned by jra - not at all good !

Looking in the samba log I find that when the second create
is done samba gives the message "skipping become_user, already done"
(or similar words).

I believe this may be similar to the problems seen by WinDD users
mounting a Samba drive.

Ok - it may be no different when accessing an NT drive I thought - so
I repeated the same test after mounting a WinNT 3.51 NTFS share.

This worked correctly - file testfile was owned by user jra, file
test-admin is owned by Administrator. So I decided that NT must be
sending the correct information - it is just that Samba doesn't 
interpret it correctly.

After much grubbing aroung in samba debug logs I find the following :-

When a new session is set up with SMBsession_setup_and_X samba
looks at smb_pid and smb_uid to distinguish from an old session.
The mistake it is making is that is assumes smb_uid is set by the
redirector - in fact the redirector treats this as a read only 
field and it should be being set by samba.

Now to the point of this article - I have a modified version of
samba 1.9.14alpha11 that sets the smb_uid field to the known uid
of the user that has been validated by the SMBsession_setup_and_X
call (it also does some group manipulation). When a SMB requeest 
comes in it uses the supplied smb_uid to do the become_user() call
before performing the request, instead of automatically becoming
the user stored in the Connection struct. Note that it does not
arbitrarily trust the client to supply a valid user id (can you say
enormous security hole :-) but valides the supplied user id against
the list of previously validated user id's, ie. the client must 
already have supplied the correct username/password pair before this
uid will be accepted.

This fixed version works correctly with the NT su program discussed
above, but I have no access to WinDD for a test. Andrew is pretty 
busy at the moment (that is why alpha11 is the latest release) so
I would appreciate it if people who have access to WinDD and are able
to test a new version of samba would email me at jer...@netcom.com
and I will send you my modified source tree. I will also send the patches
to Andrew to integrate when he is able. If you could test this out
or prahaps people who have contacted Tektronics to get them to investigate
this problem could email me and put me in touch with TekTronics support
I would appreciate it very much.

Cheers,

	Jeremy Allison
	jer...@netcom.com