Patches to head (become_root and some RPC stuff)
Doug VanLeuven
ldx at ibm.net
Tue Aug 24 23:26:32 GMT 1999
Michael Stockman wrote:
> > > I don't know LDAP, so please, could you tell me how the LDAP
> server is
> > > secured, because that is the key to what smbd is doing wrong.
> > >
> >
> > the ldap server should be run on loopback or over an sshd-proxy to
> the
> > ldap server. in either case, the connection from samba should be to
> > 127.0.0.1
>
> That is good. What may have been unclear is that I really asked how
> the contents of the LDAP databas (I suppose it is) are secured,
> especially in Dougs server.
>
> If an ordinary user would have access to the same data as samba
> obtains, asking LDAP directly, then the problem is in LDAP and not in
> samba. While this is unknown, there is little I can do. Sorry if I was
> unclear.
>
ldap bind as = "uid=root, o=LDX Micros, c=US"
ldap passwd file = /usr/local/sambaNT/private/ldappasswd
ldap server = localhost
samba gets to bind as root to the LDAP db. The password is in the file
and subsequently known only to samba. Client asks samba. samba asks ldap.
I set LDAP up according to Ignacio Coupeau's helpful howto.
http://www.unav.es/cti/ldap-smb-howto.html
The only changes I made were to require objectClass for sambaGroup,
sambaBuiltin, & sambaAlias and I added one schema for objectclass sambaAlias
based on my reading of samba code.
None of which affects security or access. The individual LDAP records
are not individually password protected or anything.
When I was running sambaHEAD straight off the passwd & group files this
issue didn't come up because who is in what group is predetermined by
a set of static files maintained by an administrator in unix. At least I never
was successful at reordering group membership from an NT client.
I've been administering NT since 3.51 and have got so programmed into
you-must-be-an-administrator to manipulate the sam db that I must
confess I didn't even try to do some of these things as a non-admin until
you asked for the effects of eliminating become_root.
Doesn't samba have to make the call because "Domain Admins" may not even
be mapped to a unix group id, so how can it rely on the underlying
unix stucture to assist? Purely phylosophical question.
-- Doug VanLeuven - 707-545-6933 (voice) 707-545-6945 (fax)
Chief Engineer, USMM roamdad at ibm.net
Programmer/Analyst, SCWA doug at scwa.ca.gov
More information about the samba-technical
mailing list