Re: root password is not stored in /etc/cipux/
Christian Kuelker skrev:
> Hi,
>
> On Tuesday 12 December 2006 13:10, Finn-Arne Johansen wrote:
>> I'll retry to get you to understand this.
>>
>> The password for the smbadmin user is _not_ the same as the root
>> account, nor ldap admin account.
>
> Yes I understand this, Look in my first mail in this threat.
Well, I've read all your mails, and to me it seems like you mean that
when you do a clean install, of both Skolelinux 1.0 (Venus) and
Skolelinux 2.0 (and since nothing has until now, also for Skolelinux
3.0), you will have the choosen root password stored, not in clear text,
but scrambled, obfuscated or call it whatever you want, you will get the
root password you entered while installing the server if you run this
command:
tdbdump /var/lib/samba/secrets.tdb
This is wrong, and has been, since oen of the prereleases for Skolelinux
1.0. I Know this for a fact, because I changed this behaviour before we
relased Skolelinux 1.0, and the script that sets up samba on DebianEdu
has changed very little since then.
>
> We have 3 etities:
>
> cn=admin
> cn=smbadmin
> cn=cipadmin
I know why you need smbadmin, that's because you dont want to store the
ldap admin password in /var/lib/samba/secrets.tdb.
But why you need to have a cipadmin user, I dont understand.
> All of then could have 3 different password hashes in LDAP.
> The passord is of smbadmin is stored in clear text on HD.
I dont quite agree that it's in cleartext, but I kind of agree with you.
> and we have (posix) user root with an encrypted password stored in shadow
>
> which must be identical to the 3 others, but was identical at least till
> sarge.
Please read those 3 (4?) lines again. And do a clean install of either
one of the releases, and then do tdbdump ...
I would be very surprised if you do get the same password as the one you
entered as root password....
>> It could be, but by default it's not the same.
>
> On Every sarge and woody system which was installed and not modified, it was
> the same.
No, it was not. See my mail earlier.
> Or has this changed in etch?
not that I know of, but I'm not that involved anymore ....
> (I ask this question now more than once in this tread, and no answer till
> now.)
>
>> Normally, noone knows the password for the smbadmin ldap user, unless
>> they've done a tdbdump /var/lib/samba/secrets.tdb
>
> if its not the same, yes.
By default it's not the same....
>> And with the default settings, it should not be possible to generate a
>> normal user account, to be used for logging in on the system.
>
> good. (but you are not 100% sure, aren't you?)
I have an idea that some maybe could investigate if it's possible to
exploit, but I want to discuss that internally in the security-team first.
>> To get a working samba implementation, it's not possible to _not_ store
>> this password hashed in /var/lib/samba/secrets.
>
> This is exactly what I mean!
But it's possible to get it more secure then today, but that means that
the machine accounts would have to be created from an ldap-based
Administration tool before the machines are joined.
> And pere should understand that this is also true for every other
> Samba like framework which have to connect to the LDAP server,
> like CipUX.
>
>> It is however possible
>> to make it impossible to use that password to create new accounts. to do
>> this, you have to create the machine accounts before joining the
>> machines to the domain.
>
> well and how dos samba retrieve LDAP information without a password? You
> know that SAMBA do a lot of LDAP queries in a productive environment. Even
> after machine accounts have been created.
I know, but it's easy to limit what attributes that the smbadmin account
are allowed to update/add.
--
Finn-Arne Johansen
faj@bzz.no http://bzz.no/
EE2A71C6403A3D191FCDC043006F1215062E6642 062E6642
Reply to: