Net help analyzing logfiles: Printer permissions in Domain

Robert Dahlem Robert.Dahlem at frankfurt.netsurf.de
Fri Dec 18 01:16:16 GMT 1998


Marc,

On Thu, 17 Dec 1998 09:54:43 +1100, Marc Haber wrote:

>>>When I try to access the printer with my own username, it works fine.
>>>As soon as I have the account that is destined to do the printing
>>>print, it can't log in.

>>I'm not quite sure if this opens a security hole: Did you try to setup your 
share 
>>with "public = yes"?

>>Your logs show that samba changes the account to the guest account ("nobody") 
>>when it does not find the user validated by the password server in its local 
>>/etc/passwd.

>I have come to that conclusion too.

>mh is my account. This account is present in the NT domain, in
>/etc/passwd and smbpasswd. asback is the user that should do the
>printing in production service; this account currently is only present
>in the NT domain. 

So what else should samba do with asback than "mapping" it to the guest account? 
There is no other way for samba to map it to a user id.

>I have thought that the whole concept of integrating
>a samba box into an NT domain is about not having to enter every NT
>account into /etc/passwd manually.

Think about the implications: As which unix user should do samba the file and 
print operations?

>>It might be worth checking if "valid users" is checked before or after "public = 
>>yes" or if this opens the share to everyone.

>How do I do that?

Configure "public = yes" and remark "valid users". Try to connect to your printer 
share as user asback. If it doesn't work my tip was worthless and you better 
forget about it.

If it works, you have to investigate further: Remove asback from the "valid users" 
list, reboot your client box and try again. If it still works, you have a security 
hole. If it doesn't work, your problem is solved.

Hasta la vista,
               Robert

-- 
---------------------------------------------------------------
Robert.Dahlem at frankfurt.netsurf.de
Radio Bornheim - 2:2461/332 at fidonet +49-69-4930830  (ZyX, V34)
                 2:2461/326 at fidonet +49-69-94414444 (ISDN X.75)
---------------------------------------------------------------



More information about the samba mailing list