[Samba] System account home directory exposure

Anthony Messina amessina at messinet.com
Tue Jul 4 14:43:51 GMT 2006 

Michael Gasch wrote:
> cause samba relies in your setup probably on NSS, which has files, ldap
> settings?!?!
> 
> you could try to use "ldapsam:trusted (G)" or invalid users = root,
> ldap, ...
> 
> greez
> 
> Anthony Messina wrote:
>> I have an fc5 system running samba-3.0.22-1.fc5 and
>> smbldap-tools-0.9.2-2.fc5. This server acts as my pdc (netbios name
>> HOME) and a server for /home directories. I use ldapsam with openldap to
>> store all account info. I noticed while troubleshooting something else
>> that if I try to browse to the home directory of a system account, such
>> as "ldap" at \\HOME\ldap -- I am presented with a username/password
>> dialogue, even though the user "ldap" only exists in the systems
>> /etc/passwd file and is not in my openldap directory.
>>
>> It seems as though I should get a "not found" message rather than
>> confirmation that this account exists on the system.  Why is samba also
>> looking for users in the /etc/passwd file if I have specified that I
>> want to use ldapsam?  How do i stop this behavior?
>>
>> Any help or direction would be appreciated. My smb.conf and smbusers
>> file are below:
>>
>> ### /etc/samba/smb.conf ###
>> [global]
>> workgroup = example.com
>> netbios name = home
>> server string = Samba Domain Server
>> hosts allow = 127.0.0.1 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24
>> hosts deny = 0.0.0.0/0
>> interfaces = lo eth0
>> bind interfaces only = yes
>> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>>
>> printcap name = /etc/printcap
>> load printers = no
>> printing = cups
>> cups options = raw
>>
>> guest account = nobody
>>
>> log file = /var/log/samba/samba.log
>> max log size = 1024
>> log level = 1
>> security = user
>> lanman auth = no
>> client ntlmv2 auth = yes
>> enable privileges = yes
>>
>> ldap passwd sync = no
>> ldap admin dn = "uid=sambaroot,ou=People,dc=example,dc=com"
>> passdb backend = ldapsam:ldap://127.0.0.1
>> ldap ssl = off
>> ldap delete dn = yes
>> ldap suffix = dc=example,dc=com
>> ldap user suffix = ou=People
>> ldap group suffix = ou=Group
>> ldap machine suffix = ou=Computers
>> ldap idmap suffix = ou=Idmap,dc=example,dc=com
>> idmap backend = ldap:ldap://127.0.0.1
>> idmap uid = 16777216-33554431
>> idmap gid = 16777216-33554431
>>
>> add user script = /usr/sbin/smbldap-useradd -m "%u"
>> delete user script = /usr/sbin/smbldap-userdel "%u"
>> add machine script = /usr/sbin/smbldap-useradd -w "%u"
>> add group script = /usr/sbin/smbldap-groupadd -p "%g"
>> delete group script = /usr/sbin/smbldap-groupdel "%g"
>> add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
>> delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
>> set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
>>
>> encrypt passwords = yes
>> unix password sync = Yes
>> passwd program = /usr/bin/passwd %u
>> passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n
>> *passwd:*all*authentication*tokens*updated*successfully*
>>
>> username map = /etc/samba/smbusers
>>
>> local master = yes
>> os level = 33
>> domain master = yes
>> preferred master = yes
>> domain logons = yes
>>
>> logon script = %U.bat
>> logon drive = H:
>> logon home = \\%L\%U
>>
>> name resolve order = wins lmhosts bcast
>> wins support = yes
>> wins proxy = no
>> dns proxy = no
>>
>> preserve case = yes
>>
>> nt acl support = yes
>>
>> template shell = /bin/false
>> winbind use default domain = no
>>
>> [homes]
>>     comment = Home Directory for %U
>>     csc policy = disable
>>     browseable = no
>>     writable = yes
>>     valid users = %S
>>     hide files = /Desktop.ini/desktop.ini/RECYCLER/Thumbs.db/
>>
>> [netlogon]
>>     comment = Network Logon Service
>>     path = /etc/samba/netlogon
>>     guest ok = yes
>>     writable = no
>>     browseable = no
>>     share modes = no
>>
>> ### /etc/samba/smbusers ###
>> #(all users are commented out)
>> #root = administrator admin
>> #nobody = guest
>>

ok, i have my pdc and bdc working with ldapsam:trusted = yes, and the
same issue occurs.

i then added invalid users = root, ldap, ... and it continues to occur.

what am i missing?  samba wants to hand out home directories for any
user in /etc/passwd even with invalid users and ldapsam:trusted set.

-- 
Anthony
http://messinet.com
http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
Url : http://lists.samba.org/archive/samba/attachments/20060704/45d5d507/signature.bin

More information about the samba mailing list