A flaw was found in the way Samba maps domain users to local users. An authenticated attacker could use this flaw to cause possible privilege escalation.
A flaw was found in the way Samba maps domain users to local users. An authenticated attacker could use this flaw to cause possible privilege escalation.
Setting "gensec:require_pac=true" in the smb.conf makes, due to a cache prime in winbind, the DOMAIN\user lookup succeed, provided nss_winbind is in use, 'winbind use default domain = no' (the default) and no error paths are hit.
It would be prudent to pre-create disabled users in Active Directory matching on all privileged names not held in Active Directory, eg
samba-tool user add root -H ldap://$SERVER -U$USERNAME%$PASSWORD --random-password(repeat for eg all system users under 1000 in /etc/passwd or special to any other AD-connected services, eg perhaps "admin" for a web-app)
samba-tool user add ubuntu -H ldap://$SERVER -U$USERNAME%$PASSWORD --random-password
Vulmon