Best choice for ntlm_auth's access to winbindd_privileged directory

Henrik Nordstrom henrik at
Thu Sep 14 19:05:46 GMT 2006

tor 2006-09-14 klockan 20:50 +0400 skrev Dmitry Butskoy:

> But this solution seems to be not universal, as requires for 
> applications to have the special user accounts.

Well, it's hard to both eat and have the cake unfortunately. This split
in permissions is there to prevent several forms of attacks on the
accounts, similar to how the shadow password database is protected

You can obviously lift this restriction by making the pipe directory
world rx, but not sure thats such great idea.

Installing ntlm_auth setgroupid is another option, and perhaps a bit
safer for winbind.. (not sure how well audited the privileged pipe
communication is..)

> For security reasons, just the directory should not be world-accessable, 
> or even ntlm_auth binary itself should not be world-accessable too? In 
> other words, is the setgid way security clean?

The binary in itself when not setuid/setgid does not have any special
powers not available to any mortal user. It's just a toolbox, quite
similar to a library.

The privielged pipe was initially set restricted as it gave access to
some details about the authentication mechanisms most mortals should not
normally be able to do, only trusted server applications.

  - keyed NTLM authentication providing both nonces.
  - private session keys
  - and maybe a little more

I think given the choices making ntlm_auth setgid to the winbind
privileged group is probably the more appropriate path iuf maintaining
the list of trusted server applications is too complex.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Detta =?ISO-8859-1?Q?=E4r?= en digitalt signerad
Url :

More information about the samba-technical mailing list