Patches to head (become_root and some RPC stuff)

Michael Stockman pgmtekn-micke at algonet.se
Sat Aug 28 12:29:34 GMT 1999 

Hello,

> Michael Stockman wrote:
>
> > The two problems that I'm aware of, though currently cannot do
> > anything about due to lack of information, are:
> > * A guest something account shows up on NT
>
> Sorry for the delay.  Nobody home share (Guest account) shows up in
HEAD
> branch but not 2.0.5a with same basic config.  I just never noticed
it before
> checking your patches.
>

So, the nobody share is there even without my patches in head branch?
Then I would feel very innocent about that.

> >
> > * NETLOGON stopped working for NT (this might have been due to an
old
> > patch, don't know where it ended up)
>
> Tell me the symptom & I'll try to reproduce it.  My code is a fresh
CVS with only
> your patches.

It's not in your ordinary domain, I got a report saying that NETLOGON
from NT with smbpasswd password database was broken, in srv_pipe.c.
This ought to have been due to a patch to that file. That patch was
withdrawn apprx a week ago.

> Please check my response to Jean-Francois same thread today.
Increasingly
> I think non "Domain Admins" users should be denied modifying any
values,
> perhaps even their own except for things explicitly allowed.
> To illustrate: could they change their description in unix?
> Standard NT fails the requests from common users with "The user does
not
> have access to the requested information" and for my 2 cents it is
> a basic assumption in NT's security model.
>
> I apologize if I'm ranting.  I wouldn't write like this if it didn't
seem truly important.

I'm basically against such an idea. However I'm unclear about how much
a choise we do have if we are going to continue to support LDAP <->
RPC (not just LDAP --> RPC). I suppose we could make an option in
smb.conf and make the LDAP code check this (optional) parameter before
it writes anything (don't know if other password databases should
check this too, but my intuition say no in the general case).

I don't have LDAP (not so meaningful with one server on a linux 486
serving our 3 W95 machines at home), but couldn't you secure the LDAP
as JF suggested? If nothing else, at least you could give the samba
account read only access to the LDAP database.

A thought I just got is that samba *may* use the same acount att all
times in regards to the LDAP server (a quick look at the code seems to
confirm this). That might disable the built in security in the LDAP
server, which could think that every actions is made by samba - even
when samba is acting as user. Is that so?

If not, you should find out as which user samba performs the
unsolicited adds to groups as, and if that is the same as it should
be?

Best regards
  Michael Stockman
  pgmtekn-micke at algonet.se

More information about the samba-technical mailing list