[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#718865: Update and minimize /etc/samba/smbldap-machineadd-gosa



Hi Wolfgang,

On Di 13 Aug 2013 13:21:00 CEST Wolfgang Schweer wrote:

On Mon, Aug 12, 2013 at 06:37:19PM +0200, Mike Gabriel wrote:
On So 11 Aug 2013 14:04:26 CEST Wolfgang Schweer wrote:

>On Sat, Aug 10, 2013 at 11:44:09AM +0200, Petter Reinholdtsen wrote:
>>[Wolfgang Schweer]
>>> Using a normal user account, the failure message is:
>>>
>>> "tree connect failed: NT_STATUS_LOGON_FAILURE"; so the issue is
>>> reproducible.
>>
>>I get this too when I provide the password.  But when I just press
>>[enter] on the password prompt, I am logged in and can see my files.
>>I guess Kerberos login work, while password check do not.
>
>Seems to be, cause smbclient -k //tjener/<uid> -U <uid> drops you
>immediatly into a smb shell.
>
>I noticed a really scaring thing:
>Logged in as a student using a teacher's uid with the above command, I'm
>able to get/put/rename/delete files and dirs, cause I seem to get the
>smb shell under that uid. Something seems to be misconfigured.
>
>Can someone try to reproduce this behaviour?

Reproducible here, as well.

To fix at least the security issue for the moment, disable the samba
service or add this to the [global] section of smb.conf and restart the
service.

auth methods = ntdomain

Access and logon won't work.

The cross-user-share access has been fixed in SVN. See latest commits.

There is one pending issue (described also here [1]).

I have a patch pending locally [2], but I would really like someone to review it before I commit it.

Now that I am re-reading the changelog entry again, I find it could be more explanative which it will be once I commit the patch.

Mike

[1] https://lists.samba.org/archive/samba/2011-September/164127.html
[2] http://paste.debian.net/24701/

PS: from IRC...

19:31 < sunweaver> pere: around?
19:32 < sunweaver> I fixed these issues: cross-user access to homes, password change broker in GOsa² 19:32 < sunweaver> I have another one pending: add samba domain policies to the sambaDomainName=SKOLELINUX
                   object.
19:32 < sunweaver> However, that I have to do during LDAP bootstrap on an object that already exists. ->
                   ldapmodify...
19:33 < sunweaver> Do we have other objects like that in the LDAP DIT?
19:33 < sunweaver> I am a bit scared of playing with ldap-tools/ldap-debian-edu-install as one is so likely to break the complete D-E-I installation routine of the LDAP part of TJENER.
19:40 < sunweaver> pere: ^^^
19:54 < sunweaver> pere: can you please review this patch for ldap-tools/ldap-debian-edu-install?
19:54 < sunweaver> http://paste.debian.net/24700/
19:56 < sunweaver> hang on... updated: http://paste.debian.net/24701/
19:56 < sunweaver> the minpwdlength, of course, must be 5, not 7



--

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb

Attachment: pgpWyRjzY7YJb.pgp
Description: Digitale PGP-Unterschrift


Reply to: