Patches to head (become_root and some RPC stuff)
Jean Francois Micouleau
Jean-Francois.Micouleau at dalalu.fr
Sat Aug 28 07:33:20 GMT 1999
On Fri, 27 Aug 1999, Doug VanLeuven wrote:
> Consider this. I am user joe. I don't belong to any administrative groups
> either in unix or NT. I connect to samba. My process runs as joe.
> If joe tries to rewrite /etc/group adding joe to the group 0, unix would stop
> him because joe does not have permission to write.
> If joe tries to rewrite an NT account in an LDAP db, samba connects with
> read/write permissions and joe adds himself to "Domain Admin".
You're right.
> > another way would be for samba to authenticate under the user DN, if the
> > authentication is granted then the user is allowed to log in. This is what
> > most (if not all) ldap clients does (check for example the ldapsearch tool
> > sources). And you can't to do that with Samba UNLESS your ldap server
> > accepts authentication with NT/LM hashes.
> This has my vote as it places the burden of authentication on the LDAP
> server much like the burden falls on the underlying auth mechanism's
> of unix for non-LDAP accesses.
OK. I totally agree. You have to store the NT/LM hashes in the
userPassword attribute then.
Luke Howard in rfc2307 proposes the form:
userPassword = {scheme}encryptedpassword
where scheme could be NThash and LMhash
or you have to hack your ldap server to check the password in ldap_bind()
against the lmPassword and ntPassword attributes.
Comments ?
> Please, please, please some samba-ldap-PDC admin try this sequence:
> 1. Get Pedestal Software's NT command line security utilities.
> they offer a test drive for 1 month free download
> http://www.pedestalsoftware.com
> I only say "use this", because I know it works normally in a pure NT
> environment as well as functioning with sambaHEAD for adding users to groups.
> 2. Create a user who belongs in any common domain group
> 3. log in on that workstation as that user & add yourself to "Domain Admins"
> ntuser -s <sambapdc> group append "Domain Admins" <user>
> 4. See if you were successful.
>
> If you were, can we open a discussion ?
>
> I've been denied access when the user is -only- a member of "Domain Guests".
> Otherwise successful.
>
> I used OpenLDAP with samba binding to rootdn.
> I used Netscape's LDAP server binding to a branch.
as a preventive solution, you can have samba binding using a
special account instead of the rootdn and deny write access to this
account.
Jean Francois
More information about the samba-technical
mailing list