Patches to head (become_root and some RPC stuff)

Jean Francois Micouleau Jean-Francois.Micouleau at dalalu.fr
Thu Aug 26 07:25:23 GMT 1999



On Thu, 26 Aug 1999, Michael Stockman wrote:

> > Samba binds to the rootdn using the secret password.
> > Am I getting a glimmer that this may need to be redone in a more
> restrictive way?

you can create a samba account in the ldap database and use it to bind.


> This makes smbd "innocent". The user has read access to the LDAP
> database and thus usrmgr and srvmgr should work, as that is what they
> need (to show anyway).
> 
> This LDAP root password thing is a major consern in regards to
> security. __IF__ the builtin/configured password is used when the user
> tries to change group memberships in the LDAP database, then there is
> really no stopping to what any user can do (except the faults in our
> RPC implementation).

you can put ACLs on the ldap server to limit users to see other users
NT/LM hashes.

> This is just my imagination, so if anyone knows this, please
> elaborate. Also, if there is a problem (and it sounds like there is),
> could someone with LDAP do something about it?

This is not your imagination. First using LDAP with a samba account to
bind instead of the rootdn and applying ACLs on users is NOT less secure
than the /etc/passwd file.

To sum up:
currently samba authenticate to the ldap server using a special account
(the rootdn or a samba one) and does a search to check users when they
logging.

another way would be for samba to authenticate under the user DN, if the
authentication is granted then the user is allowed to log in. This is what
most (if not all) ldap clients does (check for example the ldapsearch tool
sources). And you can't to do that with Samba UNLESS your ldap server
accepts authentication with NT/LM hashes.


	Jean Francois



More information about the samba-technical mailing list