Re: ldap_nua requires guest exist and have rid 501?
Andrew Bartlett wrote: On Tue, 2002-11-12 at 16:10, John E. Malmberg wrote: The exception is much more than that - all sorts of things go over IPC$, and they are protected by their individual ACLs. Enumerating users, all sorts of things. Domain logons are a particular thing that occour initially as guest (pipe-level authentication is done on netlogon, likewise password changes are as guest). Why should I be surprised that the implementation is not consistent with what they teach at the Microsoft NT System Administration class. snip There are many sites that have security standards that prohibit a guest account from being enabled. So what does 'ident' or 'echo' or 'time' run as? Each runs on their own non-privileged account. If the ident service gets compromized, the cracker has no access to anything else on the machine. Same with echo or time. Of course this depends on the TCPIP program in use, and many of these well know services are usually not implemented. Or even SMTP, BIND, IMAP. Even if a security hole is found in one of these, the privileges are limited. It is not usual on an OpenVMS system for TCP/IP services to run from the root account or with root privileges. That is the point of the guest account, Samba needs a user to become, an unprivileged user that cannot break the entire system if Samba were to accidentally allow file access, for example. So you propose having 2 accounts? We have the 'guest ok' parameter, NT ACLs and the 'restrict anonymous' parameter for controlling thing kind of thing, I think adding an new smb.conf option would just break every site out there! It may need to be something that is better documented especially for OpenVMS users as they appear to have a different view of account management. I have a better understanding of this now than I did before. The guest account is not really a guest account. So it all really is a matter of the mapping between a NT security model and the host security model. On most other systems, we use the 'nobody' account, which already exists and requires no further configuration. The default configuration for 3.0 has a 'unixsam' backend, which maps this to the 501 rid. So by default, this looks exactly like NT. The NOBODY account only exists if some UNIX compatable protocols such as NFS are enabled. It can not be relied to exist on an OpenVMS system. So while it may be technically correct that the NT GUEST account is used for some functions based on observations, the practice is not consistent with what Microsoft has been telling NT Administrators. It is consistent with what occurs on the wire, and really, that's the best we can do. The behaviour that I would need to implement on OpenVMS to make SMBD behave as the System Administrators expect is: To have a SAMBA_GUEST account, but when it is used as an attempt to access a share, the SMBD server would pay attention to the disabled flag. When it is used for the other functions, the disabled flag would be ignored. You indicate that SAMBA is using the Guest Ok parameter for this function. So I to make OpenVMS behave as the System administrators expect, when SNMD checks the Guest Ok parameter on the share, the guest account also needs the enabled flag set. I wonder how difficult this would be to implement. I would like to post a summary of this thread on the SAMBA-VMS list. I am currently trying to learn enough LINUX to NFS map my VMS development disk to a LINUX system and use RSYNC on LINUX to get live updates on SAMBA, so I can start doing active development again since my move. -John [EMAIL PROTECTED] Personal Opinion Only
Re: ldap_nua requires guest exist and have rid 501?
On Wed, 2002-11-13 at 16:35, John E. Malmberg wrote: Andrew Bartlett wrote: On Tue, 2002-11-12 at 16:10, John E. Malmberg wrote: The exception is much more than that - all sorts of things go over IPC$, and they are protected by their individual ACLs. Enumerating users, all sorts of things. Domain logons are a particular thing that occour initially as guest (pipe-level authentication is done on netlogon, likewise password changes are as guest). Why should I be surprised that the implementation is not consistent with what they teach at the Microsoft NT System Administration class. :-). However, teaching the full horrors of SMB probably would not help either :-). snip There are many sites that have security standards that prohibit a guest account from being enabled. So what does 'ident' or 'echo' or 'time' run as? Each runs on their own non-privileged account. If the ident service gets compromized, the cracker has no access to anything else on the machine. Same with echo or time. Of course this depends on the TCPIP program in use, and many of these well know services are usually not implemented. Or even SMTP, BIND, IMAP. Even if a security hole is found in one of these, the privileges are limited. It is not usual on an OpenVMS system for TCP/IP services to run from the root account or with root privileges. That is the point of the guest account, Samba needs a user to become, an unprivileged user that cannot break the entire system if Samba were to accidentally allow file access, for example. So you propose having 2 accounts? We have the 'guest ok' parameter, NT ACLs and the 'restrict anonymous' parameter for controlling thing kind of thing, I think adding an new smb.conf option would just break every site out there! It may need to be something that is better documented especially for OpenVMS users as they appear to have a different view of account management. I have a better understanding of this now than I did before. The guest account is not really a guest account. So it all really is a matter of the mapping between a NT security model and the host security model. On most other systems, we use the 'nobody' account, which already exists and requires no further configuration. The default configuration for 3.0 has a 'unixsam' backend, which maps this to the 501 rid. So by default, this looks exactly like NT. The NOBODY account only exists if some UNIX compatable protocols such as NFS are enabled. It can not be relied to exist on an OpenVMS system. So all we need is to add an account in exactly the way ident. echo etc have. So while it may be technically correct that the NT GUEST account is used for some functions based on observations, the practice is not consistent with what Microsoft has been telling NT Administrators. It is consistent with what occurs on the wire, and really, that's the best we can do. The behaviour that I would need to implement on OpenVMS to make SMBD behave as the System Administrators expect is: To have a SAMBA_GUEST account, but when it is used as an attempt to access a share, the SMBD server would pay attention to the disabled flag. When it is used for the other functions, the disabled flag would be ignored. You indicate that SAMBA is using the Guest Ok parameter for this function. So I to make OpenVMS behave as the System administrators expect, when SNMD checks the Guest Ok parameter on the share, the guest account also needs the enabled flag set. I wonder how difficult this would be to implement. With Samba 3.0, almost trivial. An extra check in 'make_connection_snum()' should do it. I would like to post a summary of this thread on the SAMBA-VMS list. I hope it has clarified things a little. CC it here, so I can make sure it's accurate. (The devil in these things is most certainly in the detail :-) I am currently trying to learn enough LINUX to NFS map my VMS development disk to a LINUX system and use RSYNC on LINUX to get live updates on SAMBA, so I can start doing active development again since my move. -John [EMAIL PROTECTED] Personal Opinion Only -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
Re: ldap_nua requires guest exist and have rid 501?
On Tue, 2002-11-12 at 10:59, Bradley W. Langhorst wrote: Is that statement true? Yes, or also use the unixsam backend if so why? Because the Guest account is a 'well known' account, and as such should have a fixed RID. This is enforced via the passdb backend because to do otherwise would have nasty consequences when mapping back and forth between uids and RIDs. (We are working hard to ensure that there is only one point at which uids and RIDs are mapped, and currently this is in the passdb.) Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
Re: ldap_nua requires guest exist and have rid 501?
Andrew Bartlett wrote: Because the Guest account is a 'well known' account, and as such should have a fixed RID. This is enforced via the passdb backend because to do otherwise would have nasty consequences when mapping back and forth between uids and RIDs. (We are working hard to ensure that there is only one point at which uids and RIDs are mapped, and currently this is in the passdb.) On a related note, does SAMBA still use the guest account in place of the (unkown) internal user for enumerating shares? An NT client can not browse a SAMBA server with the guest account disabled, but having a guest account enabled is not required on an NT account to do the same thing. -John [EMAIL PROTECTED] Personal Opinion Only
Re: ldap_nua requires guest exist and have rid 501?
On Tue, 2002-11-12 at 13:16, John E. Malmberg wrote: Andrew Bartlett wrote: Because the Guest account is a 'well known' account, and as such should have a fixed RID. This is enforced via the passdb backend because to do otherwise would have nasty consequences when mapping back and forth between uids and RIDs. (We are working hard to ensure that there is only one point at which uids and RIDs are mapped, and currently this is in the passdb.) On a related note, does SAMBA still use the guest account in place of the (unkown) internal user for enumerating shares? An NT client can not browse a SAMBA server with the guest account disabled, but having a guest account enabled is not required on an NT account to do the same thing. A Samba server must have a guest account, and (now) it must have RID 501. I'm not sure the guest account is 'disabled' on NT, it is just that the groups it is given membership of changes. IE on NT, the restrictanonymous setting can remove 'guest' from domain users, and 'everyone'. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
Re: ldap_nua requires guest exist and have rid 501?
Andrew Bartlett wrote: On Tue, 2002-11-12 at 13:16, John E. Malmberg wrote: On a related note, does SAMBA still use the guest account in place of the (unkown) internal user for enumerating shares? An NT client can not browse a SAMBA server with the guest account disabled, but having a guest account enabled is not required on an NT account to do the same thing. A Samba server must have a guest account, and (now) it must have RID 501. I'm not sure the guest account is 'disabled' on NT, it is just that the groups it is given membership of changes. IE on NT, the restrictanonymous setting can remove 'guest' from domain users, and 'everyone'. The GUEST account can definitely be disabled on an NT workstation. You can not access shares through it when it is disabled, yet browsing works. You can enable it and then access shares through the guest account. SAMBA should work the same way, but does not. This puts a minor security hole in SAMBA that is not present in Microsoft Windows NT. Microsoft advises that the guest account be disabled if you are concerned about security, and on NT Servers it is disabled by default. -John [EMAIL PROTECTED] Personal Opinion Only
Re: ldap_nua requires guest exist and have rid 501?
On Tue, 2002-11-12 at 14:48, John E. Malmberg wrote: Andrew Bartlett wrote: On Tue, 2002-11-12 at 13:16, John E. Malmberg wrote: On a related note, does SAMBA still use the guest account in place of the (unkown) internal user for enumerating shares? An NT client can not browse a SAMBA server with the guest account disabled, but having a guest account enabled is not required on an NT account to do the same thing. A Samba server must have a guest account, and (now) it must have RID 501. I'm not sure the guest account is 'disabled' on NT, it is just that the groups it is given membership of changes. IE on NT, the restrictanonymous setting can remove 'guest' from domain users, and 'everyone'. The GUEST account can definitely be disabled on an NT workstation. You can not access shares through it when it is disabled, yet browsing works. My point is that they do this by fiddling group membership. The by disabling password access to that account, it is no longer a member of the authenticated users group, or something similar. This then fails certain NT ACL checks. The account certainly still exists, and is used even on NT servers. A *lot* of NT domain operations occur as guest. You can enable it and then access shares through the guest account. SAMBA should work the same way, but does not. This puts a minor security hole in SAMBA that is not present in Microsoft Windows NT. As far as I know, we have the same defaults as NT. We do not offer shares to guest by default. Taking this further, MS implemented 'restrict anonymous' which removed further groups form the 'guest' account, making even connecting to IPC$ impossible at RestrictAnonymous=2 (I believe). We implement 'restrict anonymous =1' as a smb.conf setting in Samba 3.0. Microsoft advises that the guest account be disabled if you are concerned about security, and on NT Servers it is disabled by default. In Samba, access by the guest user is determined per-share, so I'm not sure exactly what you mean here. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
Re: ldap_nua requires guest exist and have rid 501?
On Tue, 2002-11-12 at 16:10, John E. Malmberg wrote: Andrew Bartlett wrote: In Samba, access by the guest user is determined per-share, so I'm not sure exactly what you mean here. The NT behavior is that if the guest account is enabled, than if any shares have the everyone group associated with them, then the shares can be accessed from any LANMAN client on the network. The security log will log that the guest account was used to access the account. And the everyone group includes anyone on the network, not just the workgroup or the domain. If you set the disable flag for the guest account, then none of the shares will be accessable unless the user belongs to a group that is otherwise allowed access to the share. The execption is getting the browse list. This still works even if the guest account is disabled. And the security log does not register this as a guest access. The exception is much more than that - all sorts of things go over IPC$, and they are protected by their individual ACLs. Enumerating users, all sorts of things. Domain logons are a particular thing that occour initially as guest (pipe-level authentication is done on netlogon, likewise password changes are as guest). This has bitten several OpenVMS users as they disable or do not create guest account because they do not plan to allow everyone on to access their shares. It has turned out to be one of the causes of the most common problems reported. Having the SAMBA guest account have different visible functionality than what is the visible behavior of Windows NT is going to be a continuing source of confusion. As far as I can tell, it is quite consistent actually. It would be better to have a different name for the internal uses that are not directly visible, and have the guest account just be used for guest access. More politically correct and accurate. There are many sites that have security standards that prohibit a guest account from being enabled. So what does 'ident' or 'echo' or 'time' run as? That is the point of the guest account, Samba needs a user to become, an unprivileged user that cannot break the entire system if Samba were to accidentally allow file access, for example. So you propose having 2 accounts? We have the 'guest ok' parameter, NT ACLs and the 'restrict anonymous' parameter for controlling thing kind of thing, I think adding an new smb.conf option would just break every site out there! On most other systems, we use the 'nobody' account, which already exists and requires no further configuration. The default configuration for 3.0 has a 'unixsam' backend, which maps this to the 501 rid. So by default, this looks exactly like NT. So while it may be technically correct that the NT GUEST account is used for some functions based on observations, the practice is not consistent with what Microsoft has been telling NT Administrators. It is consistent with what occurs on the wire, and really, that's the best we can do. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part