Hello,
I wanted to improve a bit Samba security, and add same
new functions so I worked around its code. Changes that I've done
are described below.
If anyone is interested, and wants my patch for testing
please send me a message. I'm not joining it here as it has
20kB gzipped.
Patch is against clean Samba-1.9.18p8.
=======================================
Changes to the Samba 1.9.18p8
-------------------------------
1. Now ONLY users present in smbpasswd can use Samba (why read below)
2. Added login time restriction checking
3. Added max simultaneus login sessions limit checking
4. Added three new smb.conf options
5. Added some documentation about 2,3,4
6. Fixed bug in chat_with_program function. Now it relases pty device
after unix password change (successful or not) and
'wait' for killed 'passwd program' after unsuccessful
password change.
7. Fixes bugs in api_SetUserPassword
-------------------------------------------------------
Why only users present in smbpasswd can use Samba ?
-------------------------------------------------------
There are several reasons:
1. You want to control who can use Samba (not every unix user)
2. Special users like bin, ftp, daemon, adm ....
should not have ANY possibility of using Samba
3. ROOT SHOULD NOT USE SAMBA
Yes, he is too powerful. It is better to deliberatly
create 'sambaadmin' user and give him write access
to all the shares via 'write list' option in smb.conf.
4. You can more easily switch from unencrypted to encrypted
passwords, as EVERY user will have its samba password
sync via 'update encrypted'
I can find only one reason against:
1. More work for the administrator. BUT
exists mksmbpasswd.sh :) BUT
HE MUST EDIT SMBPASWD AFTER !
-----------------------------------------------------------------
The patch has been thoroughly
tested on Linux Slackware 3.4 with shadow passwords as server, and
Windows for Workgroups 3.11, Windows 95 4.1111, and smbclient
as client. (Sorry, I have no NT)
(Code of password changing NEEDS TO BE TESTED ON NT !!!)
-------------------------------------------------------------------
I am waiting for any comments.
I AM NOT ON THIS LIST SO PLEASE REPLY DIRECTLY TO ME (jmunch@financier.com)
Cheers
Jacek
