Hi !
I was just wondering if that piece of code was important (for security
and such), because I had to comment it in smbldap.c before compiling
samba-3.0; otherwise, I would have errors like:
"(Insufficient access)smbldap_open: cannot access LDAP when not root"
#ifndef NO_LDAP_SECURITY
if (geteuid() != 0) {
DEBUG(0, ("smbldap_open: cannot access LDAP when not
root..\n"));
return LDAP_INSUFFICIENT_ACCESS;
}
#endif
Thanks in advance for your answer.
Antoine
Hi,
Well in samba 2.2.8 (in 2.2.4 wasnt) was passdb/pdb_ldap.c check like this:
/* check that the user is in the domain admin group for connecting */
if ( (uid != 0) && !user_in_list(pass->pw_name,
lp_domain_admin_group()) ) {
DEBUG(0, ("ldap_open_connection: cannot access LDAP when
not
root or a member of domain admin group..\n"));
return False;
}
So users who belonged to "domain admin group" were able to modify LDAP
base,
for example add PC's to domain without having uid=0. Basically samba3 is
back at 2.2.4 level.
I saw this in smb-ldap howto by IDEALX (howto was written for 2.2.4) and
there was a little patch. As in samba3 there is no such variable as "domain
admin group", so there is no way users with uid!=0 can change LDAP...
For big networks adding PCs to domain with one username and password (uid=0,
rid=500) just doesnt make sense...
IMHO groupmapping doesnt fill that hole, because whatever groupmap entry
doesn't give admin rights on LDAP.
Regards,
Rauno Tuul.
-----Original Message-----
From: Antoine Jacoutot ajacoutot at lphp.org
Tue Sep 16 16:21:49 GMT 2003
I was just wondering if that piece of code was important (for security
and such), because I had to comment it in smbldap.c before compiling
samba-3.0; otherwise, I would have errors like:
"(Insufficient access)smbldap_open: cannot access LDAP when not root"
#ifndef NO_LDAP_SECURITY
if (geteuid() != 0) {
DEBUG(0, ("smbldap_open: cannot access LDAP when not
root..\n"));
return LDAP_INSUFFICIENT_ACCESS;
}
#endif
-----Original Message----- From: Antoine Jacoutot [mailto:ajacoutot@lphp.org] On Tuesday 16 September 2003 21:34, Rauno Tuul wrote:> IMHO groupmapping doesnt fill that hole, because whatever groupmap entry > doesn't give admin rights on LDAP.> So, you think that's ok to remove that piece of code, right ?removing isn't the best solution, for security reasons. then can anyone turn the LDAP to a mess... Honestly said, the parameter "domain admin group" should come back. Some say it isn't necessary. But how can you add PC's to domain with for example 2 users "brick" and "stone" (different passwords), when their uid isn't 0 and they aren't in "admin users" list? Rgds, Rauno.
> -----Original Message----- > From: Gerald (Jerry) Carter [mailto:jerry@samba.org]> |>IMHO groupmapping doesnt fill that hole, because whatever > groupmap entry > |>doesn't give admin rights on LDAP. > > You're thinking about this from the wrong perspective. > The 'domain admin group' from 3.0 was a limited way to > handle group mapping. Instead of being a smb.conf parameter, > the domain admin group is now a mapping between the domain > admins SID and a unix gid. The check will be pretty much > the same. We'll just make the domain admin sid against > the current user's NT_TOKEN. > > | Honestly said, the parameter "domain admin group" should come back. > | Some say it isn't necessary. > > No. I can fix this just using the group mapping > entry for "Domain Admins". We'll fix it post 3.0.0.This LDAP access check for group mapping entry for "Domain Admins" is a good idea and I'm glad to hear, that solution is coming. After some time, but hopefully it comes... rgds, - Rauno Tuul -