Re: [Samba] Samba and winbind with LDAP IDMAP backend - user connects with Domain Admin permissions

2007-08-10 Thread simo 
On Fri, 2007-08-10 at 09:40 -0700, Stang, Sharol wrote:
> 
>  [users]
> 
> comment = user's home directory
> 
> path = /mnt/cluster/home/users
> 
> force group = "Domain Admins" 

So if you force _everybody_ to be "Domain Admins" why do you expect them
not to be able to access something owned by "Domain Admins" ?

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer
email: [EMAIL PROTECTED]
http://samba.org

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba and winbind with LDAP IDMAP backend - user connects with Domain Admin permissions

2007-08-10 Thread Stang, Sharol 
Hi,

 

Please Help! My normal users are able to gain access to all home
directories even though the group owner is Domain Admins. I have set the
permissions to 770 while testing and the group to Domain Admin on all
directories.

 

I have a Server2003 AD Domain with a clustered RHEL5 samba server for
the home directory. I am using samba 3.0.23 with Winbind and LDAP idmap
backend. This server is still in testing to replace a RH9 samba server.

 

Below I have listed the ID of three users. One is Domain Admin the
others are normal users. The logs show the users initially logging in
with Domain Admins rights! (GID 5004)  I tried creating another group
called DADMIN and changing the ownership to that and had the same
result! It user would connects initially as group DADMIN. 

 

 

id w11350

uid=5213(w11350) gid=5004(Domain Admins) groups=5004(Domain
Admins),5000(Domain Users),
5117(BUILTIN\administrators),5118(BUILTIN\users)  

 

ls -l |grep w11350

drwxrwx---  14 w11350 Domain Admins  4096 Aug  9 12:52 w11350

 

id w11664

uid=5598(w11664) gid=5000(Domain Users) groups=5000(Domain
Users,5118(BUILTIN\users)

 

ls -l |grep w11664

drwxrwx---   3 w11664 Domain Admins  4096 Aug  8 15:31 w11664

 

/var/log/samba/24001wk001.log

24001wk001 (x.151.18.23) signed connect to service users initially as
user w11664 (uid=5598, gid=5004) (pid 5802)

 

 

id w10828

uid=6007(w10828) gid=5000(Domain Users) groups=5000(Domain
Users),5118(BUILTIN\users)

 

ls -l |grep w10828

drwxrwx---  18 w10828 Domain Admins  4096 Jun 13 08:06 w10828

 

/var/log/samba/24001wk226.log

24001wk226 (x.151.19.7) signed connect to service users initially as
user w10828 (uid=6007, gid=5004) (pid 23707)

 

 

 

I edited out the company names, but here is the smb.conf

 

[global]

workgroup = DOMAIN

realm = COMPANY.COM

netbios name = HSA-SMB

server string = HSA-SMB

interfaces = x.151.1.200

bind interfaces only = Yes

security = ADS

client schannel = No

password server = x.151.1.25 x.151.1.21

username map = /etc/samba/smbusers

log file = /var/log/samba/%m.log

smb ports = 445

name resolve order = host wins bcast

server signing = auto

client use spnego = Yes

preferred master = No

local master = No

domain master = No

ldap admin dn = CN=Manager,DC=company,DC=com

ldap idmap suffix = ou=Idmap

ldap suffix = DC=company,DC=com

ldap ssl = no

lock directory = /var/cache/samba/HSA-SMB

pid directory = /var/run/samba/HSA-SMB

idmap backend = ldap:ldap://x.151.1.102

idmap uid = 5000-1

idmap gid = 5000-1

winbind cache time = 5

winbind use default domain = Yes

winbind nested groups = Yes

winbind enum users = Yes

winbind enum groups = Yes

 

 [users]

comment = user's home directory

path = /mnt/cluster/home/users

force group = "Domain Admins"

create mask = 0770

directory mask = 0770

browseable = No

read only = No

 

Thank you so much for your help!

-sharol

 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba