RFT: samba-ldap
I have recompiled samba-2.2.3a from debian.security.org with
ldap-support.
I have also created a samba-ldap package to bind the samba-package to
the one compiled with ldap-support.
We, both Petter Reinholdsen, Responsible for the Skolelinux
Architecure, and the Security Team, have some thoughs about security on
this package. SO this package may, or may not become a part of
SKolelinux.
The security concern is:
Samba, in the way it is set up now, needs to have write access to the
ldap DB. This is done by creating a smbadmin, which is allowed to
create accounts, both posixAccount and sambaAccount, but who is not
able to update the userPassword. it _is_ able to update/set the two
password in use for samba, namely ntPassword and lmPassword. I have
tried to limit access only to those two + lastChanged entry, but then I
was not able to add samba-users nor samba workstation accounts.
When set up, samba needs to have a root account, to be able to add
workstation accounts. Initially this account password is set to be the
same as the ldap-administrator account. You may however change this by
running "smbpasswd -a root"
okay, how to test then:
have a somewhat fresh installation of main-server
have wlus >= 1.2-15
install the samba-ldap
make sure that nscd is stopped during the adding of users
add some users, which then will have samba-passwords.
unless you stop nscd during the adding of users, you will not be able
to create working samba-users.
And unless you have added some users after you added samba-ldap, You
will not be able to log in.
If you want to use your existing users, you have to give them some
password by running
smbpasswd -a <username>
if you dont like the idea of letting other users know you root account
password for the main-server, you may change the password (or set if
not already done) by using
smbpasswd -a root
This password is to be used when adding win2k(and hopefully winXP)
workstations to the skolelinux domain.
join the Win2k workstation to the domain, by right-clicking on "My
Computer", select Properties, select "Network identification", Select
Properties.
Then if your computer already is a memeber of the domain "Skolelinux",
make it a memeber of a Workgroup, say "Bzzware.org"
This is done by clicking the Radio-button "Workgroup", and entering
"bzzware.org" in the textbox below, and press OK
Then after some seconds, you will get a greating welcomming you to the
workgroup "bzzware.org". Click OK, and you will be told to reboot
before the changes take effect.
Ignore that message, by clicking OK.
Then Click "Properties" again, and click on the Radio-button "Domain",
and enter "skolelinux" in the textbox below.
Click OK, and you will be prompted for a name/password enter the name
"root", and the password should be the ldap-administrator password (the
initially root password) and press OK
then you will (after some time) get a "Welcome to the skolelinux
domain". Press OK
then you will get a message to "reboot before the changes take effect".
Press OK
The in the "System properties" box, press OK
And you get a new box asking you if you want to reboot. Press Yes.
Then you might log into your system with one account created by WLUS.
Now how could you get this nice packages. For now, they reside in the
woody-test source, and you may get them by adding this source to your
/etc/apt/sources.list.
but I've also added a samba-ldap source which will give you just the
packages needed, by adding the line
deb http://ftp.skolelinux.no/skolelinux woody samba-ldap
to your /etc/apt/sources.list
then run
apt-get update
end finally
apt-get install samba-ldap
--
Finn-Arne Johansen
faj@bzz.no
http://bzz.no/
Reply to: