[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#718865: Update and minimize /etc/samba/smbldap-machineadd-gosa

Hi Wolfgang,

On Fr 16 Aug 2013 11:42:43 CEST Wolfgang Schweer wrote:

On Mon, Aug 12, 2013 at 07:09:34AM +0200, Arne Sørli wrote:
[Petter Reinholdtsen]
> I noticed a really scaring thing:
> Logged in as a student using a teacher's uid with the above command, I'm
> able to get/put/rename/delete files and dirs, cause I seem to get the
> smb shell under that uid. Something seems to be misconfigured.
> Can someone try to reproduce this behaviour?

Yes, I got the same behaviour from XP SP3.

Could log in as a teacher only knowing the teacher uid (using no password) and
could then delete files and so on. The same ting for browsing
\\TJENER\<username> (not logged in).

Most probably all this was due to empty LM and NT password hashes stored
in LDAP, caused by changes in GOsa 2.7.4 (squeeze version was 2.6.x).

To get the hashes right, /etc/gosa/gosa.conf has to be changed (first
backup the file).

Replace the string

"perl -MCrypt::SmbHash -e &quot;print join(q[:], ntlmgen \$ARGV[0]), $/;&quot;"


'perl -MCrypt::SmbHash -e "print join(q[:], ntlmgen %password), $/;"'

Then all user passwords have to be changed using GOsa. Connections
should then be possible using the new password, empty passwords should

Please test if this works for Windows clients.

At the momend Arne cannot join the domain with his machines. So Arne, you can only test with non-domain workstations.

I still have the domin joining on my list.



mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de


Attachment: pgpwRGiO0I3bP.pgp
Description: Digitale PGP-Unterschrift

Reply to: