Hi Wolfgang, On Di 13 Aug 2013 13:21:00 CEST Wolfgang Schweer wrote:
On Mon, Aug 12, 2013 at 06:37:19PM +0200, Mike Gabriel wrote:On So 11 Aug 2013 14:04:26 CEST Wolfgang Schweer wrote: >On Sat, Aug 10, 2013 at 11:44:09AM +0200, Petter Reinholdtsen wrote: >>[Wolfgang Schweer] >>> Using a normal user account, the failure message is: >>> >>> "tree connect failed: NT_STATUS_LOGON_FAILURE"; so the issue is >>> reproducible. >> >>I get this too when I provide the password. But when I just press >>[enter] on the password prompt, I am logged in and can see my files. >>I guess Kerberos login work, while password check do not. > >Seems to be, cause smbclient -k //tjener/<uid> -U <uid> drops you >immediatly into a smb shell. > >I noticed a really scaring thing: >Logged in as a student using a teacher's uid with the above command, I'm >able to get/put/rename/delete files and dirs, cause I seem to get the >smb shell under that uid. Something seems to be misconfigured. > >Can someone try to reproduce this behaviour? Reproducible here, as well.To fix at least the security issue for the moment, disable the samba service or add this to the [global] section of smb.conf and restart the service. auth methods = ntdomain Access and logon won't work.
The cross-user-share access has been fixed in SVN. See latest commits. There is one pending issue (described also here [1]).I have a patch pending locally [2], but I would really like someone to review it before I commit it.
Now that I am re-reading the changelog entry again, I find it could be more explanative which it will be once I commit the patch.
Mike [1] https://lists.samba.org/archive/samba/2011-September/164127.html [2] http://paste.debian.net/24701/ PS: from IRC... 19:31 < sunweaver> pere: around?19:32 < sunweaver> I fixed these issues: cross-user access to homes, password change broker in GOsa² 19:32 < sunweaver> I have another one pending: add samba domain policies to the sambaDomainName=SKOLELINUX
object.
19:32 < sunweaver> However, that I have to do during LDAP bootstrap on
an object that already exists. ->
ldapmodify...
19:33 < sunweaver> Do we have other objects like that in the LDAP DIT?
19:33 < sunweaver> I am a bit scared of playing with
ldap-tools/ldap-debian-edu-install as one is so likely to
break the complete D-E-I installation routine of
the LDAP part of TJENER.
19:40 < sunweaver> pere: ^^^19:54 < sunweaver> pere: can you please review this patch for ldap-tools/ldap-debian-edu-install?
19:54 < sunweaver> http://paste.debian.net/24700/ 19:56 < sunweaver> hang on... updated: http://paste.debian.net/24701/ 19:56 < sunweaver> the minpwdlength, of course, must be 5, not 7 -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
Attachment:
pgpz2d1uj5Gqs.pgp
Description: Digitale PGP-Unterschrift