[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#718865: Update and minimize /etc/samba/smbldap-machineadd-gosa

On Mon, Aug 12, 2013 at 07:09:34AM +0200, Arne Sørli wrote:
> [Petter Reinholdtsen]
> > I noticed a really scaring thing:
> > Logged in as a student using a teacher's uid with the above command, I'm
> > able to get/put/rename/delete files and dirs, cause I seem to get the
> > smb shell under that uid. Something seems to be misconfigured.
> > 
> > Can someone try to reproduce this behaviour?
> Yes, I got the same behaviour from XP SP3.
> Could log in as a teacher only knowing the teacher uid (using no password) and 
> could then delete files and so on. The same ting for browsing 
> \\TJENER\<username> (not logged in).
Most probably all this was due to empty LM and NT password hashes stored 
in LDAP, caused by changes in GOsa 2.7.4 (squeeze version was 2.6.x).

To get the hashes right, /etc/gosa/gosa.conf has to be changed (first 
backup the file).

Replace the string

"perl -MCrypt::SmbHash -e &quot;print join(q[:], ntlmgen \$ARGV[0]), $/;&quot;"


'perl -MCrypt::SmbHash -e "print join(q[:], ntlmgen %password), $/;"'

Then all user passwords have to be changed using GOsa. Connections 
should then be possible using the new password, empty passwords should 

Please test if this works for Windows clients.


Attachment: signature.asc
Description: Digital signature

Reply to: