Rowland Penny
2018-Sep-28 15:45 UTC
[Samba] DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
On Fri, 28 Sep 2018 17:17:38 +0200 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > > Marco Gaiarin via samba > > Verzonden: vrijdag 28 september 2018 17:04 > > Aan: samba at lists.samba.org > > Onderwerp: Re: [Samba] DM: samba 4.5 -> 4.8, guest access and > > machine account access troubles. > > > > Mandi! L.P.H. van Belle via samba > > In chel di` si favelave... > > > > Ahem, i come back here. > > > > > > I'm simply asking why the behaviour changed between 4.5 and > > > > 4.8... > > > This somewhere started in 4.6. > > > These changes where needed due to security leaks. > > > See: > > > https://www.samba.org/samba/history/security.html > > > 24 May 2017 and up. > > > > I've read all security announcments from 24 May 2017 and up, but > > found nothing that seems me relevant (eg, found nothing abount > > guest access, user mapping, default domain or something like these). > > Ow, but i did mean almost all these CVE are related. > There where just to many things to lookup and go through all the code > changes. > > There was also a problem with mapping DOMIN\user to user > Its just to many to go through all these changes... > Maybe Rowland memory is better here..No, but what I do know is this, you should not use guest access on a domain member, Windows turns it off by default. Also 'Guest' doesn't exist on a Unix domain member, you would have to map it to the Unix domain user 'nobody'> > > > > > > > > If i could make it better for you i would, but it is as it is. > > > > And really still i don't understood why 'winbind use default > > domain = yes' > > could not apply only to 'current' domain (eg workgroup = LNFFVG), > > as, seems to me, say the manpage (and as was before). > > This, i dont know,Neither do I, mostly because I don't understand what the OP is trying to say ;-) I will try to explain how it is supposed to work and why you should only use it on a Unix domain member with one 'DOMAIN' If you have 'winbind use default domain = yes' in smb.conf, winbind will basically just strip off the leading 'DOMAIN\' from user and group names. so the user 'DOMAIN\fred' will become 'fred'. Okay so far ? Now, if you have two domains in smb.conf 'DOMAINA' & 'DOMAINB' and there is a user called 'fred' in both domains and you have 'winbind use default domain = yes', you will end up with two users called 'fred'. Rowland>but its weekend now and my brains are powering > off.. Only 2 people left in the office here... Im closing now ... > > I'll have a good look after the weekend, if nobody else got you an > decent answer. > > Greetz, > > Louis > > > >
Marco Gaiarin
2018-Oct-02 15:00 UTC
[Samba] DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
Mandi! Rowland Penny via samba In chel di` si favelave...> No, but what I do know is this, you should not use guest access on a > domain member, Windows turns it off by default. Also 'Guest' doesn't > exist on a Unix domain member, you would have to map it to the Unix > domain user 'nobody'No, this is not exactly true. You forget the 'guest account' option, that have the default value 'nobody'. So, even not specifying guest mapping, guest account are mapped to 'nobody'.> If you have 'winbind use default domain = yes' in smb.conf, winbind > will basically just strip off the leading 'DOMAIN\' from user and group > names. so the user 'DOMAIN\fred' will become 'fred'. > Okay so far ? > Now, if you have two domains in smb.conf 'DOMAINA' & 'DOMAINB' and > there is a user called 'fred' in both domains and you have 'winbind use > default domain = yes', you will end up with two users called 'fred'.Ok, perfectly clear. But manpage seems to me say something different: This parameter specifies whether the winbindd(8) daemon should operate on users without domain component in their username. Users without a domain component are treated as is part of the winbindd server's own domain. 'own domain' for me is 'workgroup'. And really i don't understand why an option like that have to strip ALL domain part, and not only the 'own' one... -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Rowland Penny
2018-Oct-02 15:31 UTC
[Samba] DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
On Tue, 2 Oct 2018 17:00:43 +0200 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> Mandi! Rowland Penny via samba > In chel di` si favelave... > > > No, but what I do know is this, you should not use guest access on a > > domain member, Windows turns it off by default. Also 'Guest' doesn't > > exist on a Unix domain member, you would have to map it to the Unix > > domain user 'nobody' > > No, this is not exactly true. You forget the 'guest account' option, > that have the default value 'nobody'. > > So, even not specifying guest mapping, guest account are mapped to > 'nobody'. >OK, Windows 'Guest' != Unix 'nobody' It might seem if it does, but it doesn't> > > If you have 'winbind use default domain = yes' in smb.conf, winbind > > will basically just strip off the leading 'DOMAIN\' from user and > > group names. so the user 'DOMAIN\fred' will become 'fred'. > > Okay so far ? > > Now, if you have two domains in smb.conf 'DOMAINA' & 'DOMAINB' and > > there is a user called 'fred' in both domains and you have 'winbind > > use default domain = yes', you will end up with two users called > > 'fred'. > > Ok, perfectly clear. But manpage seems to me say something different: > > This parameter specifies whether the winbindd(8) daemon should > operate on users without domain component in their username. Users > without a domain component are treated as is part of the winbindd > server's own domain.OK, it might say that, but, I have 'winbind use default domain = yes' set on my Unix domain members and if I run 'getent passwd rowland' on one, I get: rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash But on a DC, where the line has no affect: SAMDOM\rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash The line removes the domain name and just leaves the username. You can use 'winbind use default domain = yes' in smb.conf if you only have one DOMAIN set, if you set another trusted DOMAIN, you must not use it. Rowland
Apparently Analagous Threads
- DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
- DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
- DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
- DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
- DM: samba 4.5 -> 4.8, guest access and machine account access troubles.