Patches to head (become_root and some RPC stuff)

Jean Francois Micouleau Jean-Francois.Micouleau at
Sat Aug 28 07:33:20 GMT 1999

On Fri, 27 Aug 1999, Doug VanLeuven wrote:

> Consider this.  I am user joe.  I don't belong to any administrative groups
> either in unix or NT.  I connect to samba.  My process runs as joe.
> If joe tries to rewrite /etc/group adding joe to the group 0, unix would stop
> him because joe does not have permission to write.
> If joe tries to rewrite an NT account in an LDAP db, samba connects with
> read/write permissions and joe adds himself to "Domain Admin".

You're right. 

> > another way would be for samba to authenticate under the user DN, if the
> > authentication is granted then the user is allowed to log in. This is what
> > most (if not all) ldap clients does (check for example the ldapsearch tool
> > sources). And you can't to do that with Samba UNLESS your ldap server
> > accepts authentication with NT/LM hashes.

> This has my vote as it places the burden of authentication on the LDAP
> server much like the burden falls on the underlying auth mechanism's
> of unix for non-LDAP accesses.

OK. I totally agree. You have to store the NT/LM hashes in the
userPassword attribute then.

Luke Howard in rfc2307 proposes the form:

userPassword = {scheme}encryptedpassword

where scheme could be NThash and LMhash

or you have to hack your ldap server to check the password in ldap_bind()
against the lmPassword and ntPassword attributes.

Comments ?

> Please, please, please some samba-ldap-PDC admin try this sequence:
> 1. Get Pedestal Software's NT command line security utilities.
> they offer a test drive for 1 month free download
> I only say "use this", because I know it works normally in a pure NT
> environment as well as functioning with sambaHEAD  for adding users to groups.
> 2. Create a user who belongs in any common domain group
> 3. log in on that workstation as that user & add yourself to "Domain Admins"
>   ntuser -s <sambapdc> group append "Domain Admins" <user>
> 4. See if you were successful.
> If you were, can we open a discussion ?
> I've been denied access when the user is -only- a member of "Domain Guests".
> Otherwise successful.
> I used OpenLDAP with samba binding to rootdn.
> I used Netscape's LDAP server binding to a branch.

as a preventive solution, you can have samba binding using a
special account instead of the rootdn and deny write access to this

	Jean Francois

More information about the samba-technical mailing list