Andrew Telford
2000-Mar-01 03:04 UTC
[security=SERVER] Restricting to users from a single domain
I am testing samba-2.0.6 with security = SERVER (as a prelude to moving to DOMAIN security). At the moment I have "password server = %m" and am aware of its on security vulnerabilities. Everything works OK. Suppose "foo" is a valid account on the unix machines and it is also an account on the top level company domain "bar". Then I have observed that someone logged on as "bar\foo" on a PC will be given access to samba as user "foo". So far so good. Unfortunately, if I am on a NT machine called "mypc" with a local account also called "foo", then a local acoount user "mypc\foo" will also gain access to the "foo" account on the unix machine. This is it seems a big security vulnerability. Is there a way to restrict user mypc\foo while still allowing bar\foo to log on? In other words, I want to only allow authentication of accounts in the top level company domain. Andrew P.S. I have checked the smbd log files with log level >1 to verify the authentication described above.