[security=SERVER] Restricting to users from a single domain
Andrew Telford
telford.andrew.aj at bhp.com.au
Wed Mar 1 03:04:55 GMT 2000
I am testing samba-2.0.6 with security = SERVER (as a prelude to
moving to DOMAIN security).
At the moment I have "password server = %m" and am aware of its on
security vulnerabilities. Everything works OK.
Suppose "foo" is a valid account on the unix machines and it is also
an account on the top level company domain "bar". Then I have
observed that someone logged on as "bar\foo" on a PC will be given
access to samba as user "foo". So far so good.
Unfortunately, if I am on a NT machine called "mypc" with a local
account also called "foo", then a local acoount user "mypc\foo" will
also gain access to the "foo" account on the unix machine. This is it
seems a big security vulnerability.
Is there a way to restrict user mypc\foo while still allowing bar\foo
to log on? In other words, I want to only allow authentication of
accounts in the top level company domain.
Andrew
P.S. I have checked the smbd log files with log level >1 to verify
the authentication described above.
More information about the samba
mailing list