Hi ! I was just wondering if that piece of code was important (for security and such), because I had to comment it in smbldap.c before compiling samba-3.0; otherwise, I would have errors like: "(Insufficient access)smbldap_open: cannot access LDAP when not root" #ifndef NO_LDAP_SECURITY if (geteuid() != 0) { DEBUG(0, ("smbldap_open: cannot access LDAP when not root..\n")); return LDAP_INSUFFICIENT_ACCESS; } #endif Thanks in advance for your answer. Antoine
Hi, Well in samba 2.2.8 (in 2.2.4 wasnt) was passdb/pdb_ldap.c check like this: /* check that the user is in the domain admin group for connecting */ if ( (uid != 0) && !user_in_list(pass->pw_name, lp_domain_admin_group()) ) { DEBUG(0, ("ldap_open_connection: cannot access LDAP when not root or a member of domain admin group..\n")); return False; } So users who belonged to "domain admin group" were able to modify LDAP base, for example add PC's to domain without having uid=0. Basically samba3 is back at 2.2.4 level. I saw this in smb-ldap howto by IDEALX (howto was written for 2.2.4) and there was a little patch. As in samba3 there is no such variable as "domain admin group", so there is no way users with uid!=0 can change LDAP... For big networks adding PCs to domain with one username and password (uid=0, rid=500) just doesnt make sense... IMHO groupmapping doesnt fill that hole, because whatever groupmap entry doesn't give admin rights on LDAP. Regards, Rauno Tuul. -----Original Message----- From: Antoine Jacoutot ajacoutot at lphp.org Tue Sep 16 16:21:49 GMT 2003 I was just wondering if that piece of code was important (for security and such), because I had to comment it in smbldap.c before compiling samba-3.0; otherwise, I would have errors like: "(Insufficient access)smbldap_open: cannot access LDAP when not root" #ifndef NO_LDAP_SECURITY if (geteuid() != 0) { DEBUG(0, ("smbldap_open: cannot access LDAP when not root..\n")); return LDAP_INSUFFICIENT_ACCESS; } #endif
-----Original Message----- From: Antoine Jacoutot [mailto:ajacoutot@lphp.org] On Tuesday 16 September 2003 21:34, Rauno Tuul wrote:> IMHO groupmapping doesnt fill that hole, because whatever groupmap entry > doesn't give admin rights on LDAP.> So, you think that's ok to remove that piece of code, right ?removing isn't the best solution, for security reasons. then can anyone turn the LDAP to a mess... Honestly said, the parameter "domain admin group" should come back. Some say it isn't necessary. But how can you add PC's to domain with for example 2 users "brick" and "stone" (different passwords), when their uid isn't 0 and they aren't in "admin users" list? Rgds, Rauno.
> -----Original Message----- > From: Gerald (Jerry) Carter [mailto:jerry@samba.org]> |>IMHO groupmapping doesnt fill that hole, because whatever > groupmap entry > |>doesn't give admin rights on LDAP. > > You're thinking about this from the wrong perspective. > The 'domain admin group' from 3.0 was a limited way to > handle group mapping. Instead of being a smb.conf parameter, > the domain admin group is now a mapping between the domain > admins SID and a unix gid. The check will be pretty much > the same. We'll just make the domain admin sid against > the current user's NT_TOKEN. > > | Honestly said, the parameter "domain admin group" should come back. > | Some say it isn't necessary. > > No. I can fix this just using the group mapping > entry for "Domain Admins". We'll fix it post 3.0.0.This LDAP access check for group mapping entry for "Domain Admins" is a good idea and I'm glad to hear, that solution is coming. After some time, but hopefully it comes... rgds, - Rauno Tuul -