[Samba] Questions about 3.0.12rc1

Sergey Loskutov lsm at tts.magadan.su
Mon Mar 14 23:18:28 GMT 2005 

Gerald (Jerry) Carter write:

>> Sergey Loskutov wrote:
>> | Hello!
>> |
>> | Before this post, i'm send 3 problems in 3.0.11
>> | I'm compiled 3.0.12rc1 and found next:
>> |
>> | 1) Settings primary group .... problem solved, but question to developer
>> |    You append to mapping.c  in smb_set_primary_group
>> |    ret = smbrun(add_script,NULL);
>> |    flush_pwnam_cache();
>> |    ^^^^^^^^^^^^^^^^^^^^
>> |  But not check ret code .....if my script exit in code != 0, i'm change
>> | primary group ... ( script "set primary group" still needed ? )
>> 
> It's just flushing the internal pwnam cache.  Semantically this is ok.
> Probably not optimal.  I'll look at it later.
I'm know that you flushing the cache... but thank you

>> 
>> | 3)  I'm analized  problems 1
>> | ( user who not have privileges "add machine account" )
>> |
>> | In function _samr_create_user ( srv_samr_nt.c ) you have code:
>> |
>> | if ( can_add_account )
>> |   become_root();
>> |
>> | And if user not have privileges(user|machine)  you MAY CREATE USER (
>> | posix account or machine account ) through SCRIPT  :(((((
>> |
>> | I'm change code to:
>> |
>> | if ( can_add_account == False ) {
>> |   return NT_STATUS_ACCESS_DENIED;
>> | }
>> | it's fixed problem ....
>> | I'm do simple test and is work correct, ... but i'm do
>> | not full test.
>> 
> I've thought about this before.  The problem is actually that
> your 'add user script' can be run successfully as a non-root user.
> A simple 'chmod 700 <script>; chown root <script>' will solve this.
> I'll look at it some more but this is not a pressing issue I don't
> think.  smbd is not doing anything that the normal user couldn't do
> anyways.  And your fix doesn't cover all the possible scenarios
> (e.g. root user with no assigned privileges should still be able to join
> clients to the domain).

NO NO NO  settings chmod or chown .....
Why need privileges ? :) I'm want settings privileges add machine to
user, who not members in root ....

Sample :)

chmod 770 <script>; chown root."smart man" <script>;
Look good :)

User:  John ( member in "smart man" )
User:  Leon ( member in "smart man" )

I want give privileges for John, but not for Leon ...  :)

Why i must use  setfacl|getfacl ..... i'm have privileges .....
you decision ... bad

And anyway user who have uidNumber == 0 and not having privileges, not
able join machine and users ;) i'm checked this before send code.

And why i'm permit execute script if code semantic not allowed use ldap
not member in root ?  Check you ldap code  ;)


Thanks you help !


Sergey Loskutov

More information about the samba mailing list