Konstantin Boyandin
2011-Jan-12 07:49 UTC
[Samba] smbldap-tools security: how to keep passwords in smbldap_bind.conf secure?
Hello, On http://wiki.samba.org/index.php/4.0:_User_Management it is described how to set up and use smbldap-tools package. The question is, how to hide master passwords in such a case? smbldap-passwd may be called by non-root; thus, /etc/smbldap-tools/smbldap_bind>conf must be world-readable, and it keeps the passwords as plain text. How can I allow users to change their passwords with smbldap-passwd without compromising the security? Thanks. Sincerely, Konstantin
Daniel Müller
2011-Jan-12 08:29 UTC
[Samba] smbldap-tools security: how to keep passwords in smbldap_bind.conf secure?
???? On your windows client strg+alt+entf Change password. The users will never see this password in smbldap_bind.conf. ----------------------------------------------- EDV Daniel M?ller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 T?bingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: mueller at tropenklinik.de Internet: www.tropenklinik.de ----------------------------------------------- -----Urspr?ngliche Nachricht----- Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von Konstantin Boyandin Gesendet: Mittwoch, 12. Januar 2011 08:50 An: samba at lists.samba.org Betreff: [Samba] smbldap-tools security: how to keep passwords in smbldap_bind.conf secure? Hello, On http://wiki.samba.org/index.php/4.0:_User_Management it is described how to set up and use smbldap-tools package. The question is, how to hide master passwords in such a case? smbldap-passwd may be called by non-root; thus, /etc/smbldap-tools/smbldap_bind>conf must be world-readable, and it keeps the passwords as plain text. How can I allow users to change their passwords with smbldap-passwd without compromising the security? Thanks. Sincerely, Konstantin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Konstantin Boyandin
2011-Jan-12 16:30 UTC
[Samba] smbldap-tools security: how to keep passwords in smbldap_bind.conf secure?
01/12/2011 09:56 PM, TAKAHASHI Motonobu ?????:> 2011/1/12 Konstantin Boyandin <temmokan at gmail.com>: >> smbldap-passwd may be called by non-root; thus, >> /etc/smbldap-tools/smbldap_bind>conf >> must be world-readable, and it keeps the passwords as plain text. > > smbldap-passwd accesses to LDAP as a user who invoked itself. > > This behavior is different from Samba itself as always accesses as > a user defined with "ldap admin dn". > > So simply set 600 to smbldap_bind.conf will solve the problem.Yes, that did the trick, thank you! I thought the bind configuration should also be world readable.> Also you need to add "by self write" to both sambaLMPassword > and sambaNTPassword.Yes, that has been set up and tested before I posted the question. Sincerely, Konstantin