1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml">
6 <title>Samba - Security Announcement Archive</title>
11 <H2>CVE-2007-4138: Incorrect primary group assignment domain users
12 using the rfc2307 or sfu winbind nss info plugin</H2>
16 ==========================================================
18 == Subject: Incorrect primary group assignment for
19 == domain users using the rfc2307 or sfu
20 == winbind nss info plugin.
22 == CVE ID#: CVE-2007-4138
24 == Versions: Samba 3.0.25 - 3.0.25c (inclusive)
26 == Summary: When the "winbind nss info" parameter in
27 == smb.conf is set to either "sfu" or "rfc2307",
28 == Windows users are incorrectly assigned
29 == a primary gid of 0 in the absence of the
30 == RFC2307 or Services or Unix (SFU) primary
33 ==========================================================
39 The idmap_ad.so library provides an nss_info extension to Winbind
40 for retrieving a user's home directory path, login shell and
41 primary group id from an Active Directory domain controller. This
42 functionality is enabled by defining the "winbind nss info"
43 smb.conf option to either "sfu" or "rfc2307".
45 Both the Windows "Identity Management for Unix" and "Services for
46 Unix" MMC plug-ins allow a user to be assigned a primary group
47 for Unix clients that differs from the user's Windows primary group.
48 When the rfc2307 or sfu nss_info plugin has been enabled, in
49 the absence of either the RFC2307 or SFU primary group attribute,
50 Winbind will assign a primary group ID of 0 to the domain user
51 queried using the getpwnam() C library call.
58 A patch addressing this defect has been posted to
60 http://www.samba.org/samba/security/
62 Additionally, Samba 3.0.26 has been issued as a security
63 release to correct the defect.
70 Samba and Active Directory administrators may avoid this security
73 (a) Ensure that all user's stored in AD are properly assigned a
74 Unix primary group, or
75 (b) Discontinue use of the sfu or rfc2307 "winbind nss info" plugin
76 until a patched version of the idmap_ad.so library can be
79 Note that the problem is only evident on servers using the sfu
80 or rfc2307 "winbind nss info" plugin and not those only making
81 use of Winbind's idmap_ad IDMap backend interface.
88 This vulnerability was reported to Samba developers by Rick King
91 The time line is as follows:
93 * Aug 29, 2007: Initial report from Rick King.
94 * Aug 29, 2007: First response from Samba developers confirming
95 the bug along with a proposed patch.
96 * Sep 4, 2007: Announcement to vendor-sec mailing list.
97 * Sep 11, 2007: Public security advisory made available.
101 ==========================================================
102 == Our Code, Our Bugs, Our Responsibility.
104 ==========================================================