[Samba] smbldap.c

Rauno Tuul rauno.tuul at haigekassa.ee
Tue Sep 16 19:34:39 GMT 2003


Well in samba 2.2.8 (in 2.2.4 wasnt) was passdb/pdb_ldap.c check like this:

/* check that the user is in the domain admin group for connecting */
        if ( (uid != 0) && !user_in_list(pass->pw_name,
lp_domain_admin_group()) ) {
                DEBUG(0, ("ldap_open_connection: cannot access LDAP when not
root or a member of domain admin group..\n"));
                return False;

So users who belonged to "domain admin group" were able to modify LDAP base,
for example add PC's to domain without having uid=0. Basically samba3 is
back at 2.2.4 level.
I saw this in smb-ldap howto by IDEALX (howto was written for 2.2.4) and
there was a little patch. As in samba3 there is no such variable as "domain
admin group", so there is no way users with uid!=0 can change LDAP...
For big networks adding PCs to domain with one username and password (uid=0,
rid=500) just doesnt make sense...

IMHO groupmapping doesnt fill that hole, because whatever groupmap entry
doesn't give admin rights on LDAP.


Rauno Tuul.

-----Original Message-----
From: Antoine Jacoutot ajacoutot at lphp.org 
Tue Sep 16 16:21:49 GMT 2003 

I was just wondering if that piece of code was important (for security 
and such), because I had to comment it in smbldap.c before compiling 
samba-3.0; otherwise, I would have errors like:
"(Insufficient access)smbldap_open: cannot access LDAP when not root"

         if (geteuid() != 0) {
                 DEBUG(0, ("smbldap_open: cannot access LDAP when not 
                 return  LDAP_INSUFFICIENT_ACCESS;

More information about the samba mailing list