Hi Wolfgang, On Fr 16 Aug 2013 11:42:43 CEST Wolfgang Schweer wrote:
On Mon, Aug 12, 2013 at 07:09:34AM +0200, Arne Sørli wrote:[Petter Reinholdtsen] > I noticed a really scaring thing: > Logged in as a student using a teacher's uid with the above command, I'm > able to get/put/rename/delete files and dirs, cause I seem to get the > smb shell under that uid. Something seems to be misconfigured. > > Can someone try to reproduce this behaviour? Yes, I got the same behaviour from XP SP3.Could log in as a teacher only knowing the teacher uid (using no password) andcould then delete files and so on. The same ting for browsing \\TJENER\<username> (not logged in).Most probably all this was due to empty LM and NT password hashes stored in LDAP, caused by changes in GOsa 2.7.4 (squeeze version was 2.6.x). To get the hashes right, /etc/gosa/gosa.conf has to be changed (first backup the file). Replace the string"perl -MCrypt::SmbHash -e "print join(q[:], ntlmgen \$ARGV), $/;""with 'perl -MCrypt::SmbHash -e "print join(q[:], ntlmgen %password), $/;"' Then all user passwords have to be changed using GOsa. Connections should then be possible using the new password, empty passwords should fail. Please test if this works for Windows clients.
At the momend Arne cannot join the domain with his machines. So Arne, you can only test with non-domain workstations.
I still have the domin joining on my list. Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: email@example.com, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
Description: Digitale PGP-Unterschrift