ldap_nua requires guest exist and have rid 501?

John E. Malmberg wb8tyw at qsl.net
Wed Nov 13 05:37:00 GMT 2002 

Andrew Bartlett wrote:

> On Tue, 2002-11-12 at 16:10, John E. Malmberg wrote:
> 
> The exception is much more than that - all sorts of things go over 
> IPC$, and they are protected by their individual ACLs.  Enumerating 
> users, all sorts of things.  Domain logons are a particular thing 
> that occour initially as guest (pipe-level authentication is done on 
> netlogon, likewise password changes are as guest).

Why should I be surprised that the implementation is not consistent with
what they teach at the Microsoft NT System Administration class.
> 
<snip>

>> There are many sites that have security standards that prohibit a 
>> guest account from being enabled.
> 
> So what does 'ident' or 'echo' or 'time' run as?

Each runs on their own non-privileged account.  If the ident service
gets compromized, the cracker has no access to anything else on the machine.

Same with "echo" or "time".  Of course this depends on the TCPIP program
in use, and many of these well know services are usually not implemented.

Or even SMTP, BIND, IMAP.  Even if a security hole is found in one of 
these, the privileges are limited.

It is not usual on an OpenVMS system for TCP/IP services to run from the
root account or with root privileges.

> That is the point of the guest account, Samba needs a user to become,
> an unprivileged user that cannot break the entire system if Samba
> were to accidentally allow file access, for example.
> 
> So you propose having 2 accounts?
> 
> We have the 'guest ok' parameter, NT ACLs and the 'restrict 
> anonymous' parameter for controlling thing kind of thing, I think 
> adding an new smb.conf option would just break every site out there!

It may need to be something that is better documented especially for 
OpenVMS users as they appear to have a different view of account management.

I have a better understanding of this now than I did before.  The guest 
account is not really a guest account.

So it all really is a matter of the mapping between a NT security model
and the host security model.

> On most other systems, we use the 'nobody' account, which already 
> exists and requires no further configuration.  The default 
> configuration for 3.0 has a 'unixsam' backend, which maps this to the
>  501 rid.  So by default, this looks exactly like NT.

The NOBODY account only exists if some UNIX compatable protocols such as
NFS are enabled.  It can not be relied to exist on an OpenVMS system.

>> So while it may be technically correct that the NT "GUEST" account 
>> is used for some functions based on observations, the practice is 
>> not consistent with what Microsoft has been telling NT 
>> Administrators.
> 
> It is consistent with what occurs on the wire, and really, that's the
>  best we can do.

The behaviour that I would need to implement on OpenVMS to make SMBD 
behave as the System Administrators expect is:

To have a SAMBA_GUEST account, but when it is used as an attempt to 
access a share, the SMBD server would pay attention to the "disabled" flag.

When it is used for the other functions, the "disabled" flag would be 
ignored.

You indicate that SAMBA is using the "Guest Ok" parameter for this function.

So I to make OpenVMS behave as the System administrators expect, when 
SNMD checks the "Guest Ok" parameter on the share, the guest account 
also needs the "enabled" flag set.

I wonder how difficult this would be to implement.

I would like to post a summary of this thread on the SAMBA-VMS list.

I am currently trying to learn enough LINUX to NFS map my VMS 
development disk to a LINUX system and use RSYNC on LINUX to get live 
updates on SAMBA, so I can start doing active development again since my 
move.

-John
wb8tyw at qsl.network
Personal Opinion Only

More information about the samba-technical mailing list