ldap_nua requires guest exist and have rid 501?
abartlet at samba.org
Wed Nov 13 06:19:58 GMT 2002
On Wed, 2002-11-13 at 16:35, John E. Malmberg wrote:
> Andrew Bartlett wrote:
> > On Tue, 2002-11-12 at 16:10, John E. Malmberg wrote:
> > The exception is much more than that - all sorts of things go over
> > IPC$, and they are protected by their individual ACLs. Enumerating
> > users, all sorts of things. Domain logons are a particular thing
> > that occour initially as guest (pipe-level authentication is done on
> > netlogon, likewise password changes are as guest).
> Why should I be surprised that the implementation is not consistent with
> what they teach at the Microsoft NT System Administration class.
:-). However, teaching the full horrors of SMB probably would not help
> >> There are many sites that have security standards that prohibit a
> >> guest account from being enabled.
> > So what does 'ident' or 'echo' or 'time' run as?
> Each runs on their own non-privileged account. If the ident service
> gets compromized, the cracker has no access to anything else on the machine.
> Same with "echo" or "time". Of course this depends on the TCPIP program
> in use, and many of these well know services are usually not implemented.
> Or even SMTP, BIND, IMAP. Even if a security hole is found in one of
> these, the privileges are limited.
> It is not usual on an OpenVMS system for TCP/IP services to run from the
> root account or with root privileges.
> > That is the point of the guest account, Samba needs a user to become,
> > an unprivileged user that cannot break the entire system if Samba
> > were to accidentally allow file access, for example.
> > So you propose having 2 accounts?
> > We have the 'guest ok' parameter, NT ACLs and the 'restrict
> > anonymous' parameter for controlling thing kind of thing, I think
> > adding an new smb.conf option would just break every site out there!
> It may need to be something that is better documented especially for
> OpenVMS users as they appear to have a different view of account management.
> I have a better understanding of this now than I did before. The guest
> account is not really a guest account.
> So it all really is a matter of the mapping between a NT security model
> and the host security model.
> > On most other systems, we use the 'nobody' account, which already
> > exists and requires no further configuration. The default
> > configuration for 3.0 has a 'unixsam' backend, which maps this to the
> > 501 rid. So by default, this looks exactly like NT.
> The NOBODY account only exists if some UNIX compatable protocols such as
> NFS are enabled. It can not be relied to exist on an OpenVMS system.
So all we need is to add an account in exactly the way ident. echo etc
> >> So while it may be technically correct that the NT "GUEST" account
> >> is used for some functions based on observations, the practice is
> >> not consistent with what Microsoft has been telling NT
> >> Administrators.
> > It is consistent with what occurs on the wire, and really, that's the
> > best we can do.
> The behaviour that I would need to implement on OpenVMS to make SMBD
> behave as the System Administrators expect is:
> To have a SAMBA_GUEST account, but when it is used as an attempt to
> access a share, the SMBD server would pay attention to the "disabled" flag.
> When it is used for the other functions, the "disabled" flag would be
> You indicate that SAMBA is using the "Guest Ok" parameter for this function.
> So I to make OpenVMS behave as the System administrators expect, when
> SNMD checks the "Guest Ok" parameter on the share, the guest account
> also needs the "enabled" flag set.
> I wonder how difficult this would be to implement.
With Samba 3.0, almost trivial. An extra check in
'make_connection_snum()' should do it.
> I would like to post a summary of this thread on the SAMBA-VMS list.
I hope it has clarified things a little. CC it here, so I can make sure
it's accurate. (The devil in these things is most certainly in the
> I am currently trying to learn enough LINUX to NFS map my VMS
> development disk to a LINUX system and use RSYNC on LINUX to get live
> updates on SAMBA, so I can start doing active development again since my
> wb8tyw at qsl.network
> Personal Opinion Only
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20021113/33ac71e4/attachment.bin
More information about the samba-technical