[Samba] System account home directory exposure

Anthony Messina amessina at messinet.com
Tue Jul 4 07:48:50 GMT 2006

I have an fc5 system running samba-3.0.22-1.fc5 and
smbldap-tools-0.9.2-2.fc5. This server acts as my pdc (netbios name
HOME) and a server for /home directories. I use ldapsam with openldap to
store all account info. I noticed while troubleshooting something else
that if I try to browse to the home directory of a system account, such
as "ldap" at \\HOME\ldap -- I am presented with a username/password
dialogue, even though the user "ldap" only exists in the systems
/etc/passwd file and is not in my openldap directory.

It seems as though I should get a "not found" message rather than
confirmation that this account exists on the system.  Why is samba also
looking for users in the /etc/passwd file if I have specified that I
want to use ldapsam?  How do i stop this behavior?

Any help or direction would be appreciated. My smb.conf and smbusers
file are below:

### /etc/samba/smb.conf ###
workgroup = example.com
netbios name = home
server string = Samba Domain Server
hosts allow =
hosts deny =
interfaces = lo eth0
bind interfaces only = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

printcap name = /etc/printcap
load printers = no
printing = cups
cups options = raw

guest account = nobody

log file = /var/log/samba/samba.log
max log size = 1024
log level = 1
security = user
lanman auth = no
client ntlmv2 auth = yes
enable privileges = yes

ldap passwd sync = no
ldap admin dn = "uid=sambaroot,ou=People,dc=example,dc=com"
passdb backend = ldapsam:ldap://
ldap ssl = off
ldap delete dn = yes
ldap suffix = dc=example,dc=com
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap,dc=example,dc=com
idmap backend = ldap:ldap://
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431

add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"

encrypt passwords = yes
unix password sync = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n

username map = /etc/samba/smbusers

local master = yes
os level = 33
domain master = yes
preferred master = yes
domain logons = yes

logon script = %U.bat
logon drive = H:
logon home = \\%L\%U

name resolve order = wins lmhosts bcast
wins support = yes
wins proxy = no
dns proxy = no

preserve case = yes

nt acl support = yes

template shell = /bin/false
winbind use default domain = no

	comment = Home Directory for %U
	csc policy = disable
	browseable = no
	writable = yes
	valid users = %S
	hide files = /Desktop.ini/desktop.ini/RECYCLER/Thumbs.db/

	comment = Network Logon Service
	path = /etc/samba/netlogon
	guest ok = yes
	writable = no
	browseable = no
	share modes = no

### /etc/samba/smbusers ###
#(all users are commented out)
#root = administrator admin
#nobody = guest

8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
Url : http://lists.samba.org/archive/samba/attachments/20060704/a84fb818/signature.bin

More information about the samba mailing list