[Samba] DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
rpenny at samba.org
Fri Sep 28 15:45:30 UTC 2018
On Fri, 28 Sep 2018 17:17:38 +0200
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Marco Gaiarin via samba
> > Verzonden: vrijdag 28 september 2018 17:04
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] DM: samba 4.5 -> 4.8, guest access and
> > machine account access troubles.
> > Mandi! L.P.H. van Belle via samba
> > In chel di` si favelave...
> > Ahem, i come back here.
> > > > I'm simply asking why the behaviour changed between 4.5 and
> > > > 4.8...
> > > This somewhere started in 4.6.
> > > These changes where needed due to security leaks.
> > > See:
> > > https://www.samba.org/samba/history/security.html
> > > 24 May 2017 and up.
> > I've read all security announcments from 24 May 2017 and up, but
> > found nothing that seems me relevant (eg, found nothing abount
> > guest access, user mapping, default domain or something like these).
> Ow, but i did mean almost all these CVE are related.
> There where just to many things to lookup and go through all the code
> There was also a problem with mapping DOMIN\user to user
> Its just to many to go through all these changes...
> Maybe Rowland memory is better here..
No, but what I do know is this, you should not use guest access on a
domain member, Windows turns it off by default. Also 'Guest' doesn't
exist on a Unix domain member, you would have to map it to the Unix
domain user 'nobody'
> > > If i could make it better for you i would, but it is as it is.
> > And really still i don't understood why 'winbind use default
> > domain = yes'
> > could not apply only to 'current' domain (eg workgroup = LNFFVG),
> > as, seems to me, say the manpage (and as was before).
> This, i dont know,
Neither do I, mostly because I don't understand what the OP is trying
to say ;-)
I will try to explain how it is supposed to work and why you should
only use it on a Unix domain member with one 'DOMAIN'
If you have 'winbind use default domain = yes' in smb.conf, winbind
will basically just strip off the leading 'DOMAIN\' from user and group
names. so the user 'DOMAIN\fred' will become 'fred'.
Okay so far ?
Now, if you have two domains in smb.conf 'DOMAINA' & 'DOMAINB' and
there is a user called 'fred' in both domains and you have 'winbind use
default domain = yes', you will end up with two users called 'fred'.
>but its weekend now and my brains are powering
> off.. Only 2 people left in the office here... Im closing now ...
> I'll have a good look after the weekend, if nobody else got you an
> decent answer.
More information about the samba