[security=SERVER] Restricting to users from a single domain

Andrew Telford telford.andrew.aj at bhp.com.au
Wed Mar 1 03:04:55 GMT 2000


I am testing samba-2.0.6 with security = SERVER (as a prelude to
moving to DOMAIN security).

At the moment I have "password server =  %m" and am aware of its on
security vulnerabilities.  Everything works OK.

Suppose "foo" is a valid account on the unix machines and it is also
an account on the top level company domain "bar".  Then I have
observed that someone logged on as "bar\foo" on a PC will be given
access to samba as user "foo". So far so good.

Unfortunately, if I am on a NT machine called "mypc" with a local
account also called "foo", then a local acoount user "mypc\foo" will
also gain access to the "foo" account on the unix machine. This is it
seems a big security vulnerability.

Is there a way to restrict user mypc\foo while still allowing bar\foo
to log on?  In other words, I want to only allow authentication of
accounts in the top level company domain.

Andrew

P.S.  I have checked the smbd log files with log level >1 to verify
the authentication described above.



More information about the samba mailing list