John H Terpstra jht at samba.org
Sat Oct 29 00:47:11 GMT 2005

On Friday 28 October 2005 18:41, Andrew Bartlett wrote:
> There was a discussion on IRC about what the 'NO_LDAP_SECURITY' #ifndef
> in smbldap.c was about.
> I figured it was worth clarifying for the list:
> In testing Samba3, I did a lot of work as non-root, with Samba3 run from
> inetd into my own user account.  This allowed easier access with gdb,
> and tested the same code we have elsewhere to determine non-root
> behaviours.  (This we require for the build farm, for example).

I figured it was the left-over of some debugging work that was not cleaned up.

Thanks for the clarification.

- John T.

> Our other pdb backeds check for access rights by file permissions, but
> LDAP makes this more difficult, particularly with the very useful
> persistent connections.  As such we have this:
> 	if (geteuid() != 0) {
> 		DEBUG(0, ("smbldap_open: cannot access LDAP when not root..\n"));
> 	}
> #endif
> This prevents non-root users from accessing ldap, and ensures therefore
> that we must have deliberately bumped the user up to root, so they could
> read smbpasswd, tdbsam or the ldap connection.  Otherwise, they only get
> in if they are root.  Perhaps this is primitive, and no doubt real ACLs
> would be a good thing, but it's what we have now.
> Anyway, I wanted to bypass this for my development work, so added
> Andrew Bartlett

John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

The Official Samba-3 HOWTO & Reference Guide, 2 Ed., ISBN: 0131882228
Samba-3 by Example, 2 Ed., ISBN: 0131882221X
Hardening Linux, ISBN: 0072254971
Other books in production.

More information about the samba-technical mailing list