[Samba] System account home directory exposure

[Michael Gasch]

cause samba relies in your setup probably on NSS, which has files, ldap 
settings?!?!

you could try to use "ldapsam:trusted (G)" or invalid users = root, 
ldap, ...

greez

Anthony Messina wrote:
> I have an fc5 system running samba-3.0.22-1.fc5 and
> smbldap-tools-0.9.2-2.fc5. This server acts as my pdc (netbios name
> HOME) and a server for /home directories. I use ldapsam with openldap to
> store all account info. I noticed while troubleshooting something else
> that if I try to browse to the home directory of a system account, such
> as "ldap" at \\HOME\ldap -- I am presented with a username/password
> dialogue, even though the user "ldap" only exists in the systems
> /etc/passwd file and is not in my openldap directory.
> 
> It seems as though I should get a "not found" message rather than
> confirmation that this account exists on the system.  Why is samba also
> looking for users in the /etc/passwd file if I have specified that I
> want to use ldapsam?  How do i stop this behavior?
> 
> Any help or direction would be appreciated. My smb.conf and smbusers
> file are below:
> 
> ### /etc/samba/smb.conf ###
> [global]
> workgroup = example.com
> netbios name = home
> server string = Samba Domain Server
> hosts allow = 127.0.0.1 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24
> hosts deny = 0.0.0.0/0
> interfaces = lo eth0
> bind interfaces only = yes
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> 
> printcap name = /etc/printcap
> load printers = no
> printing = cups
> cups options = raw
> 
> guest account = nobody
> 
> log file = /var/log/samba/samba.log
> max log size = 1024
> log level = 1
> security = user
> lanman auth = no
> client ntlmv2 auth = yes
> enable privileges = yes
> 
> ldap passwd sync = no
> ldap admin dn = "uid=sambaroot,ou=People,dc=example,dc=com"
> passdb backend = ldapsam:ldap://127.0.0.1
> ldap ssl = off
> ldap delete dn = yes
> ldap suffix = dc=example,dc=com
> ldap user suffix = ou=People
> ldap group suffix = ou=Group
> ldap machine suffix = ou=Computers
> ldap idmap suffix = ou=Idmap,dc=example,dc=com
> idmap backend = ldap:ldap://127.0.0.1
> idmap uid = 16777216-33554431
> idmap gid = 16777216-33554431
> 
> add user script = /usr/sbin/smbldap-useradd -m "%u"
> delete user script = /usr/sbin/smbldap-userdel "%u"
> add machine script = /usr/sbin/smbldap-useradd -w "%u"
> add group script = /usr/sbin/smbldap-groupadd -p "%g"
> delete group script = /usr/sbin/smbldap-groupdel "%g"
> add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
> delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
> set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
> 
> encrypt passwords = yes
> unix password sync = Yes
> passwd program = /usr/bin/passwd %u
> passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n
> *passwd:*all*authentication*tokens*updated*successfully*
> 
> username map = /etc/samba/smbusers
> 
> local master = yes
> os level = 33
> domain master = yes
> preferred master = yes
> domain logons = yes
> 
> logon script = %U.bat
> logon drive = H:
> logon home = \\%L\%U
> 
> name resolve order = wins lmhosts bcast
> wins support = yes
> wins proxy = no
> dns proxy = no
> 
> preserve case = yes
> 
> nt acl support = yes
> 
> template shell = /bin/false
> winbind use default domain = no
> 
> [homes]
> 	comment = Home Directory for %U
> 	csc policy = disable
> 	browseable = no
> 	writable = yes
> 	valid users = %S
> 	hide files = /Desktop.ini/desktop.ini/RECYCLER/Thumbs.db/
> 
> [netlogon]
> 	comment = Network Logon Service
> 	path = /etc/samba/netlogon
> 	guest ok = yes
> 	writable = no
> 	browseable = no
> 	share modes = no
> 
> ### /etc/samba/smbusers ###
> #(all users are commented out)
> #root = administrator admin
> #nobody = guest
> 
> 

-- 
Michael Gasch
Max Planck Institute for Evolutionary Anthropology
Department of Human Evolution (IT Staff)
Deutscher Platz 6
D-04103 Leipzig
Germany

Phone: 49 (0)341 - 3550 137
        49 (0)341 - 3550 374

Fax:   49 (0)341 - 3550 399