[Samba] System account home directory exposure
Anthony Messina
amessina at messinet.com
Tue Jul 4 07:48:50 GMT 2006
I have an fc5 system running samba-3.0.22-1.fc5 and
smbldap-tools-0.9.2-2.fc5. This server acts as my pdc (netbios name
HOME) and a server for /home directories. I use ldapsam with openldap to
store all account info. I noticed while troubleshooting something else
that if I try to browse to the home directory of a system account, such
as "ldap" at \\HOME\ldap -- I am presented with a username/password
dialogue, even though the user "ldap" only exists in the systems
/etc/passwd file and is not in my openldap directory.
It seems as though I should get a "not found" message rather than
confirmation that this account exists on the system. Why is samba also
looking for users in the /etc/passwd file if I have specified that I
want to use ldapsam? How do i stop this behavior?
Any help or direction would be appreciated. My smb.conf and smbusers
file are below:
### /etc/samba/smb.conf ###
[global]
workgroup = example.com
netbios name = home
server string = Samba Domain Server
hosts allow = 127.0.0.1 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24
hosts deny = 0.0.0.0/0
interfaces = lo eth0
bind interfaces only = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = /etc/printcap
load printers = no
printing = cups
cups options = raw
guest account = nobody
log file = /var/log/samba/samba.log
max log size = 1024
log level = 1
security = user
lanman auth = no
client ntlmv2 auth = yes
enable privileges = yes
ldap passwd sync = no
ldap admin dn = "uid=sambaroot,ou=People,dc=example,dc=com"
passdb backend = ldapsam:ldap://127.0.0.1
ldap ssl = off
ldap delete dn = yes
ldap suffix = dc=example,dc=com
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap,dc=example,dc=com
idmap backend = ldap:ldap://127.0.0.1
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
encrypt passwords = yes
unix password sync = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
username map = /etc/samba/smbusers
local master = yes
os level = 33
domain master = yes
preferred master = yes
domain logons = yes
logon script = %U.bat
logon drive = H:
logon home = \\%L\%U
name resolve order = wins lmhosts bcast
wins support = yes
wins proxy = no
dns proxy = no
preserve case = yes
nt acl support = yes
template shell = /bin/false
winbind use default domain = no
[homes]
comment = Home Directory for %U
csc policy = disable
browseable = no
writable = yes
valid users = %S
hide files = /Desktop.ini/desktop.ini/RECYCLER/Thumbs.db/
[netlogon]
comment = Network Logon Service
path = /etc/samba/netlogon
guest ok = yes
writable = no
browseable = no
share modes = no
### /etc/samba/smbusers ###
#(all users are commented out)
#root = administrator admin
#nobody = guest
--
Anthony
http://messinet.com
http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
Url : http://lists.samba.org/archive/samba/attachments/20060704/a84fb818/signature.bin
More information about the samba
mailing list