[Samba] How to tell Samba not to use the passwd file

Gerald (Jerry) Carter jerry at samba.org
Tue Jan 3 15:32:58 GMT 2006

Hash: SHA1

Dwight Tovey wrote:

> The problem is that one of our testers has discovered that if he 
> is logged in as somebody who is a member of the Domain Admin
> group, he can access all user's home directories by using
> Window's "Network Neighborhood" explorer and typing the direct
> path in the location bar (\\netbiosname\user).  Unfortunatly,
> this extends beyond the users that are defined in LDAP.  Because
> nsswitch.conf has 'passwd: files ldap', Domain Admins can also
> access the "home" directories of users in the
> passwd file.  This includes users like 'bin' (home of /bin), 'daemon'
> (/sbin), 'admin' (/var/log), and the big one: 'mail' (home of /).  
> I feel that this is a bit of a security hole.

set an invalid users line in [global]

	invalid users = daemon bin lpd mail .....

Note that this is not a security hole but a misconfiguration and is
the intended design.

cheers, jerry
Alleviating the pain of Windows(tm)      ------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"There's an anonymous coward in all of us."               --anonymous
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org


More information about the samba mailing list