ldap_nua requires guest exist and have rid 501?

Andrew Bartlett abartlet at samba.org
Wed Nov 13 06:19:58 GMT 2002

On Wed, 2002-11-13 at 16:35, John E. Malmberg wrote:
> Andrew Bartlett wrote:
> > On Tue, 2002-11-12 at 16:10, John E. Malmberg wrote:
> > 
> > The exception is much more than that - all sorts of things go over 
> > IPC$, and they are protected by their individual ACLs.  Enumerating 
> > users, all sorts of things.  Domain logons are a particular thing 
> > that occour initially as guest (pipe-level authentication is done on 
> > netlogon, likewise password changes are as guest).
> Why should I be surprised that the implementation is not consistent with
> what they teach at the Microsoft NT System Administration class.

:-).  However, teaching the full horrors of SMB probably would not help
either :-).  

> > 
> <snip>
> >> There are many sites that have security standards that prohibit a 
> >> guest account from being enabled.
> > 
> > So what does 'ident' or 'echo' or 'time' run as?
> Each runs on their own non-privileged account.  If the ident service
> gets compromized, the cracker has no access to anything else on the machine.
> Same with "echo" or "time".  Of course this depends on the TCPIP program
> in use, and many of these well know services are usually not implemented.
> Or even SMTP, BIND, IMAP.  Even if a security hole is found in one of 
> these, the privileges are limited.
> It is not usual on an OpenVMS system for TCP/IP services to run from the
> root account or with root privileges.
> > That is the point of the guest account, Samba needs a user to become,
> > an unprivileged user that cannot break the entire system if Samba
> > were to accidentally allow file access, for example.
> > 
> > So you propose having 2 accounts?
> > 
> > We have the 'guest ok' parameter, NT ACLs and the 'restrict 
> > anonymous' parameter for controlling thing kind of thing, I think 
> > adding an new smb.conf option would just break every site out there!
> It may need to be something that is better documented especially for 
> OpenVMS users as they appear to have a different view of account management.
> I have a better understanding of this now than I did before.  The guest 
> account is not really a guest account.
> So it all really is a matter of the mapping between a NT security model
> and the host security model.
> > On most other systems, we use the 'nobody' account, which already 
> > exists and requires no further configuration.  The default 
> > configuration for 3.0 has a 'unixsam' backend, which maps this to the
> >  501 rid.  So by default, this looks exactly like NT.
> The NOBODY account only exists if some UNIX compatable protocols such as
> NFS are enabled.  It can not be relied to exist on an OpenVMS system.

So all we need is to add an account in exactly the way ident. echo etc

> >> So while it may be technically correct that the NT "GUEST" account 
> >> is used for some functions based on observations, the practice is 
> >> not consistent with what Microsoft has been telling NT 
> >> Administrators.
> > 
> > It is consistent with what occurs on the wire, and really, that's the
> >  best we can do.
> The behaviour that I would need to implement on OpenVMS to make SMBD 
> behave as the System Administrators expect is:
> To have a SAMBA_GUEST account, but when it is used as an attempt to 
> access a share, the SMBD server would pay attention to the "disabled" flag.
> When it is used for the other functions, the "disabled" flag would be 
> ignored.
> You indicate that SAMBA is using the "Guest Ok" parameter for this function.
> So I to make OpenVMS behave as the System administrators expect, when 
> SNMD checks the "Guest Ok" parameter on the share, the guest account 
> also needs the "enabled" flag set.
> I wonder how difficult this would be to implement.

With Samba 3.0, almost trivial.  An extra check in
'make_connection_snum()' should do it.

> I would like to post a summary of this thread on the SAMBA-VMS list.

I hope it has clarified things a little.  CC it here, so I can make sure
it's accurate.  (The devil in these things is most certainly in the
detail :-)

> I am currently trying to learn enough LINUX to NFS map my VMS 
> development disk to a LINUX system and use RSYNC on LINUX to get live 
> updates on SAMBA, so I can start doing active development again since my 
> move.
> -John
> wb8tyw at qsl.network
> Personal Opinion Only
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20021113/33ac71e4/attachment.bin

More information about the samba-technical mailing list