Patches to head (become_root and some RPC stuff)

Michael Stockman pgmtekn at algonet.se
Wed Aug 25 21:17:27 GMT 1999


> I read thru this message again & got a different insight.  Any unix
user can access
> the LDAP database for read.  If they know the LDAP "root" password
they can
> modify it.
> defaultaccess read
>
> My slapd.conf
>
> suffix  "o=LDX Micros, c=US"
> rootdn  "uid=root, o=LDX Micros, c=US"
>
> defaultaccess read
> access to dn=".*, o=LDX Micros, c=US"
>  by self write
>  by * search
>
> Samba binds to the rootdn using the secret password.
> Am I getting a glimmer that this may need to be redone in a more
restrictive way?

This makes smbd "innocent". The user has read access to the LDAP
database and thus usrmgr and srvmgr should work, as that is what they
need (to show anyway).

This LDAP root password thing is a major consern in regards to
security. __IF__ the builtin/configured password is used when the user
tries to change group memberships in the LDAP database, then there is
really no stopping to what any user can do (except the faults in our
RPC implementation).

This is just my imagination, so if anyone knows this, please
elaborate. Also, if there is a problem (and it sounds like there is),
could someone with LDAP do something about it?

---

This points out one very important thing: SAMBA IS NOT NT! Anything
you learned with NT will need to be checked before you know if it
works or not in samba (maybe we are bad at pointing out the
differences?). Also, we have the option of making things differently
(better) than NT, since there are areas where this could be desired.

My vision for samba is that we are going to remain (get to) unix -
that is reliable, secure, configurable and documented (possibly in
that order). Anyone can make their own conclusions about where this
prioritation would put NT. Still, there is a lot to do in samba before
it works (completely to our satisfaction).

Best regards
  Michael Stockman
  pgmtekn-micke at algonet.se






More information about the samba-technical mailing list