Re: root password is not stored in /etc/cipux/

To: debian-edu@lists.debian.org
Subject: Re: root password is not stored in /etc/cipux/
From: Christian Kuelker <christian.kuelker@cipworx.org>
Date: Tue, 12 Dec 2006 13:57:26 +0100
Message-id: <[🔎] 200612121357.26649.christian.kuelker@cipworx.org>
In-reply-to: <[🔎] 457E9C49.3020708@bzz.no>
References: <[🔎] 200612120951.02371.christian.kuelker@cipworx.org> <[🔎] 457E8449.3080701@bzz.no> <[🔎] 457E9C49.3020708@bzz.no>

Hi,

On Tuesday 12 December 2006 13:10, Finn-Arne Johansen wrote:
> I'll retry to get you to understand this.
>
> The password for the smbadmin user is _not_ the same as the root
> account, nor ldap admin account.

Yes I understand this, Look in my first mail in this threat.

We have 3 etities:

cn=admin
cn=smbadmin
cn=cipadmin

All of then could have 3 different password hashes in LDAP.
The passord is of smbadmin is stored in clear text on HD.

and we have (posix) user root with an encrypted password stored in shadow 

which must be identical to the 3 others, but was identical at least till 
sarge.

> It could be,  but by default it's not the same.

On Every sarge and woody system which was installed and not modified, it was 
the same.

Or has this changed in etch?
(I ask this question now more than once in this tread, and no answer till 
now.)

> Normally, noone knows the password for the smbadmin ldap user, unless
> they've done a tdbdump /var/lib/samba/secrets.tdb

if its not the same, yes.

> And with the default settings, it should not be possible to generate a
> normal user account, to be used for logging in on the system.

good.  (but you are not 100% sure, aren't you?)

> To get a working samba implementation, it's not possible to _not_ store
> this password hashed in /var/lib/samba/secrets. 

This is exactly what I mean! 

And pere should understand that this is also true for every other 
Samba like framework which have to connect to the LDAP server, 
like CipUX.

> It is however possible 
> to make it impossible to use that password to create new accounts. to do
> this, you have to create the machine accounts before joining the
> machines to the domain.

well and how dos samba retrieve LDAP information without a password? You
know that SAMBA do a lot of LDAP queries in a productive environment. Even 
after machine accounts have been created.

But what you probably  meant was, you can change the ACL after account 
creation and change or change maybe not the password on the disk.

Of course this more secure. But this is not quite possible for a tool which 
has the aim of creating accounts! 

A good thing would be to make an ACL which forbid to create accounts with id=0 

Is this possible?

But the fact remains: the password is stored on the disk.

Greetings
Christian

Reply to:

Follow-Ups:
- Re: root password is not stored in /etc/cipux/
  - From: RalfGesellensetter <rgx@gmx.de>
- Re: root password is not stored in /etc/cipux/
  - From: Finn-Arne Johansen <faj@bzz.no>

References:
- root password is not stored in /etc/cipux/
  - From: Christian Kuelker <christian.kuelker@cipworx.org>
- Re: root password is not stored in /etc/cipux/
  - From: Finn-Arne Johansen <faj@bzz.no>
- Re: root password is not stored in /etc/cipux/
  - From: Finn-Arne Johansen <faj@bzz.no>

Prev by Date: Re: root password is not stored in /etc/cipux/
Next by Date: Re: root password is not stored in /etc/cipux/
Previous by thread: Re: root password is not stored in /etc/cipux/
Next by thread: Re: root password is not stored in /etc/cipux/
Index(es):
- Date
- Thread