samba - Oct 2005 - prevent normal users from getting userlist

Hello,

I run Samba 3.0.20a with Windows XP Professional SP2 client. I found out
that when a normal (i.e. not domain administrator) user runs the old
Windows NT 4 user client, it can retrieve the whole list of usernames
and fullnames.

Can that be prohibited in any way?

Thanks
Florian

On Sun, 2005-10-02 at 13:09 +0200, Florian Effenberger
wrote:
> Hello,
> 
> I run Samba 3.0.20a with Windows XP Professional SP2 client. I found out
> that when a normal (i.e. not domain administrator) user runs the old
> Windows NT 4 user client, it can retrieve the whole list of usernames
> and fullnames.
> 
> Can that be prohibited in any way?
Not without breaking functionality.  See, any user should be able to run
the ACL editor, and assign rights to users and groups.

You could modify code to lock this down, but I would be worried about
the consequences, as well as what other mean (direct LDAP query, for
example) you would also need to lock down.

I know this is difficult in strict privacy environments.  

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20051003/a83fbe01/attachment.bin

Hi Andrew,
> Not without breaking functionality.  See, any user should be able to run
> the ACL editor, and assign rights to users and groups.
> 
> You could modify code to lock this down, but I would be worried about
> the consequences, as well as what other mean (direct LDAP query, for
> example) you would also need to lock down.
> 
> I know this is difficult in strict privacy environments.  
you are right, of course, I did not think of the ACL features needed!
However, there are some environments where it could as well be illegal
to allow every user to fetch the whole user list.

Are there any plans to implement a feature to disable getting user list
for some users?

Thanks!
Florian