ldap_nua requires guest exist and have rid 501?

Andrew Bartlett abartlet at samba.org
Wed Nov 13 06:19:58 GMT 2002 

On Wed, 2002-11-13 at 16:35, John E. Malmberg wrote:
> Andrew Bartlett wrote:
> 
> > On Tue, 2002-11-12 at 16:10, John E. Malmberg wrote:
> > 
> > The exception is much more than that - all sorts of things go over 
> > IPC$, and they are protected by their individual ACLs.  Enumerating 
> > users, all sorts of things.  Domain logons are a particular thing 
> > that occour initially as guest (pipe-level authentication is done on 
> > netlogon, likewise password changes are as guest).
> 
> Why should I be surprised that the implementation is not consistent with
> what they teach at the Microsoft NT System Administration class.

:-).  However, teaching the full horrors of SMB probably would not help
either :-).  

> > 
> <snip>
> 
> >> There are many sites that have security standards that prohibit a 
> >> guest account from being enabled.
> > 
> > So what does 'ident' or 'echo' or 'time' run as?
> 
> Each runs on their own non-privileged account.  If the ident service
> gets compromized, the cracker has no access to anything else on the machine.
> 
> Same with "echo" or "time".  Of course this depends on the TCPIP program
> in use, and many of these well know services are usually not implemented.
> 
> Or even SMTP, BIND, IMAP.  Even if a security hole is found in one of 
> these, the privileges are limited.
> 
> It is not usual on an OpenVMS system for TCP/IP services to run from the
> root account or with root privileges.
> 
> > That is the point of the guest account, Samba needs a user to become,
> > an unprivileged user that cannot break the entire system if Samba
> > were to accidentally allow file access, for example.
> > 
> > So you propose having 2 accounts?
> > 
> > We have the 'guest ok' parameter, NT ACLs and the 'restrict 
> > anonymous' parameter for controlling thing kind of thing, I think 
> > adding an new smb.conf option would just break every site out there!
> 
> It may need to be something that is better documented especially for 
> OpenVMS users as they appear to have a different view of account management.
> 
> I have a better understanding of this now than I did before.  The guest 
> account is not really a guest account.
> 
> So it all really is a matter of the mapping between a NT security model
> and the host security model.
> 
> > On most other systems, we use the 'nobody' account, which already 
> > exists and requires no further configuration.  The default 
> > configuration for 3.0 has a 'unixsam' backend, which maps this to the
> >  501 rid.  So by default, this looks exactly like NT.
> 
> The NOBODY account only exists if some UNIX compatable protocols such as
> NFS are enabled.  It can not be relied to exist on an OpenVMS system.

So all we need is to add an account in exactly the way ident. echo etc
have.  

> >> So while it may be technically correct that the NT "GUEST" account 
> >> is used for some functions based on observations, the practice is 
> >> not consistent with what Microsoft has been telling NT 
> >> Administrators.
> > 
> > It is consistent with what occurs on the wire, and really, that's the
> >  best we can do.
> 
> The behaviour that I would need to implement on OpenVMS to make SMBD 
> behave as the System Administrators expect is:
> 
> To have a SAMBA_GUEST account, but when it is used as an attempt to 
> access a share, the SMBD server would pay attention to the "disabled" flag.
> 
> When it is used for the other functions, the "disabled" flag would be 
> ignored.
> 
> You indicate that SAMBA is using the "Guest Ok" parameter for this function.
> 
> So I to make OpenVMS behave as the System administrators expect, when 
> SNMD checks the "Guest Ok" parameter on the share, the guest account 
> also needs the "enabled" flag set.
> 
> I wonder how difficult this would be to implement.

With Samba 3.0, almost trivial.  An extra check in
'make_connection_snum()' should do it.

> I would like to post a summary of this thread on the SAMBA-VMS list.

I hope it has clarified things a little.  CC it here, so I can make sure
it's accurate.  (The devil in these things is most certainly in the
detail :-)

> I am currently trying to learn enough LINUX to NFS map my VMS 
> development disk to a LINUX system and use RSYNC on LINUX to get live 
> updates on SAMBA, so I can start doing active development again since my 
> move.
> 
> -John
> wb8tyw at qsl.network
> Personal Opinion Only
-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20021113/33ac71e4/attachment.bin

More information about the samba-technical mailing list