I have recompiled samba-2.2.3a from debian.security.org with ldap-support. I have also created a samba-ldap package to bind the samba-package to the one compiled with ldap-support.
We, both Petter Reinholdsen, Responsible for the Skolelinux Architecure, and the Security Team, have some thoughs about security on this package. SO this package may, or may not become a part of SKolelinux. The security concern is: Samba, in the way it is set up now, needs to have write access to the ldap DB. This is done by creating a smbadmin, which is allowed to create accounts, both posixAccount and sambaAccount, but who is not able to update the userPassword. it _is_ able to update/set the two password in use for samba, namely ntPassword and lmPassword. I have tried to limit access only to those two + lastChanged entry, but then I was not able to add samba-users nor samba workstation accounts. When set up, samba needs to have a root account, to be able to add workstation accounts. Initially this account password is set to be the same as the ldap-administrator account. You may however change this by running "smbpasswd -a root" okay, how to test then: have a somewhat fresh installation of main-server have wlus >= 1.2-15 install the samba-ldap make sure that nscd is stopped during the adding of users add some users, which then will have samba-passwords. unless you stop nscd during the adding of users, you will not be able to create working samba-users. And unless you have added some users after you added samba-ldap, You will not be able to log in. If you want to use your existing users, you have to give them some password by running smbpasswd -a <username> if you dont like the idea of letting other users know you root account password for the main-server, you may change the password (or set if not already done) by using smbpasswd -a root This password is to be used when adding win2k(and hopefully winXP) workstations to the skolelinux domain. join the Win2k workstation to the domain, by right-clicking on "My Computer", select Properties, select "Network identification", Select Properties. Then if your computer already is a memeber of the domain "Skolelinux", make it a memeber of a Workgroup, say "Bzzware.org" This is done by clicking the Radio-button "Workgroup", and entering "bzzware.org" in the textbox below, and press OK Then after some seconds, you will get a greating welcomming you to the workgroup "bzzware.org". Click OK, and you will be told to reboot before the changes take effect. Ignore that message, by clicking OK. Then Click "Properties" again, and click on the Radio-button "Domain", and enter "skolelinux" in the textbox below. Click OK, and you will be prompted for a name/password enter the name "root", and the password should be the ldap-administrator password (the initially root password) and press OK then you will (after some time) get a "Welcome to the skolelinux domain". Press OK then you will get a message to "reboot before the changes take effect". Press OK The in the "System properties" box, press OK And you get a new box asking you if you want to reboot. Press Yes. Then you might log into your system with one account created by WLUS. Now how could you get this nice packages. For now, they reside in the woody-test source, and you may get them by adding this source to your /etc/apt/sources.list. but I've also added a samba-ldap source which will give you just the packages needed, by adding the line deb http://ftp.skolelinux.no/skolelinux woody samba-ldap to your /etc/apt/sources.list then run apt-get update end finally apt-get install samba-ldap -- Finn-Arne Johansen [EMAIL PROTECTED] http://bzz.no/
