[Samba] System account home directory exposure

Anthony Messina amessina at messinet.com
Tue Jul 4 12:02:53 GMT 2006

Michael Gasch wrote:
> cause samba relies in your setup probably on NSS, which has files, ldap
> settings?!?!
> you could try to use "ldapsam:trusted (G)" or invalid users = root,
> ldap, ...
> greez
> Anthony Messina wrote:
>> I have an fc5 system running samba-3.0.22-1.fc5 and
>> smbldap-tools-0.9.2-2.fc5. This server acts as my pdc (netbios name
>> HOME) and a server for /home directories. I use ldapsam with openldap to
>> store all account info. I noticed while troubleshooting something else
>> that if I try to browse to the home directory of a system account, such
>> as "ldap" at \\HOME\ldap -- I am presented with a username/password
>> dialogue, even though the user "ldap" only exists in the systems
>> /etc/passwd file and is not in my openldap directory.
>> It seems as though I should get a "not found" message rather than
>> confirmation that this account exists on the system.  Why is samba also
>> looking for users in the /etc/passwd file if I have specified that I
>> want to use ldapsam?  How do i stop this behavior?
>> ldap passwd sync = no
>> ldap admin dn = "uid=sambaroot,ou=People,dc=example,dc=com"
>> passdb backend = ldapsam:ldap://
>> ldap ssl = off
>> ldap delete dn = yes
>> ldap suffix = dc=example,dc=com
>> ldap user suffix = ou=People
>> ldap group suffix = ou=Group
>> ldap machine suffix = ou=Computers
>> ldap idmap suffix = ou=Idmap,dc=example,dc=com
>> idmap backend = ldap:ldap://
>> idmap uid = 16777216-33554431
>> idmap gid = 16777216-33554431

thank you kindly for your quick reply.  i have been investigating the
ldapsam:trusted = yes option.  initially i was unsuccessful until i
added the sambaGroupMapping objectclass to the cn=user,ou=Group...
entry.  is this the right place to do this?  also, i enter the group
type as "2", i think (for a domain group), but in the sambaSID in the
group mapping, do i copy the individual user's sambaSID or the
sambaPrimaryGroupSID from their entry in uid=user,ou=People... ?

it works with ldapsam:trusted = yes if i do either, but i'm guessing
that i should duplicate the user's sambaSID from their
uid=user,ou=People entry into their cn=user,ou=Group entry.  is this

again, thank you kindly.  -a

8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
Url : http://lists.samba.org/archive/samba/attachments/20060704/fa110af2/signature.bin

More information about the samba mailing list