Patches to head (become_root and some RPC stuff)

Fri Aug 27 22:49:03 GMT 1999

Jean Francois Micouleau wrote:

> On Thu, 26 Aug 1999, Michael Stockman wrote:
>
> > > Samba binds to the rootdn using the secret password.
> > > Am I getting a glimmer that this may need to be redone in a more
> > restrictive way?
>
> you can create a samba account in the ldap database and use it to bind.

Still within the base suffix, every samba connection binds as an entity
capable of read/write on every entry.

> > This makes smbd "innocent". The user has read access to the LDAP
> > database and thus usrmgr and srvmgr should work, as that is what they
> > need (to show anyway).
> >
> > This LDAP root password thing is a major consern in regards to
> > security. __IF__ the builtin/configured password is used when the user
> > tries to change group memberships in the LDAP database, then there is
> > really no stopping to what any user can do (except the faults in our
> > RPC implementation).
>
> you can put ACLs on the ldap server to limit users to see other users
> NT/LM hashes.

True. I can limit access from clients other than samba.

> > This is just my imagination, so if anyone knows this, please
> > elaborate. Also, if there is a problem (and it sounds like there is),
> > could someone with LDAP do something about it?
>
> This is not your imagination. First using LDAP with a samba account to
> bind instead of the rootdn and applying ACLs on users is NOT less secure
> than the /etc/passwd file.

Consider this.  I am user joe.  I don't belong to any administrative groups
either in unix or NT.  I connect to samba.  My process runs as joe.
If joe tries to rewrite /etc/group adding joe to the group 0, unix would stop
him because joe does not have permission to write.
If joe tries to rewrite an NT account in an LDAP db, samba connects with
read/write permissions and joe adds himself to "Domain Admin".

> To sum up:
> currently samba authenticate to the ldap server using a special account
> (the rootdn or a samba one) and does a search to check users when they
> logging.
>
> another way would be for samba to authenticate under the user DN, if the
> authentication is granted then the user is allowed to log in. This is what
> most (if not all) ldap clients does (check for example the ldapsearch tool
> sources). And you can't to do that with Samba UNLESS your ldap server
> accepts authentication with NT/LM hashes.
>
>         Jean Francois

This has my vote as it places the burden of authentication on the LDAP
server much like the burden falls on the underlying auth mechanism's
of unix for non-LDAP accesses.

Please, please, please some samba-ldap-PDC admin try this sequence:
1. Get Pedestal Software's NT command line security utilities.
they offer a test drive for 1 month free download
 http://www.pedestalsoftware.com
I only say "use this", because I know it works normally in a pure NT
environment as well as functioning with sambaHEAD  for adding users to groups.
2. Create a user who belongs in any common domain group
3. log in on that workstation as that user & add yourself to "Domain Admins"
  ntuser -s <sambapdc> group append "Domain Admins" <user>
4. See if you were successful.

If you were, can we open a discussion ?

I've been denied access when the user is -only- a member of "Domain Guests".
Otherwise successful.

I used OpenLDAP with samba binding to rootdn.
I used Netscape's LDAP server binding to a branch.

-- Doug VanLeuven - 707-545-6933 (voice) 707-545-6945 (fax)
Chief Engineer, USMM roamdad at ibm.net
Programmer/Analyst, SCWA doug at scwa.ca.gov