[Pkg-samba-maint] Bug#385372: This

Joe C. K. Yau jckyau at Comp.HKBU.Edu.HK
Tue Jul 24 08:22:04 UTC 2007 

On Tue Jul 24 15:12:41 2007,
Steve Langasek <vorlon at debian.org> wrote:
> 
> [ Deleted ]
> 
> I'm not sure why plaintext passwords should affect the use of 'valid users =
> %S'; that should not change how the username is resolved.
> 
> But why do you have winbind running on a system where you're trying to use
> plaintext passwords?  Or put differently, why are you using plaintext
> passwords on a system that has winbind?
> 
> winbind is for NT domain integration.  If you have an NT domain, you
> shouldn't need to resort to plaintext passwords; and indeed, I would expect
> that 'encrypt passwords = false' would cause problems for the domain
> operation.
> 
> [ Deleted ]
> 
> Recent versions of samba fixed a security hole in the parsing of
> preexec/postexec commands by trimming all shell special characters.  I
> believe this includes '>'.  You would need to create a short script to
> handle the redirection to the named logfile.
> 
> [ Deleted ]
> 
> -- 
> Steve Langasek                   Give me a lever long enough and a Free OS
> Debian Developer                   to set it on, and I can move the world.
> vorlon at debian.org                                   http://www.debian.org/
> 

Based on what you have suggested, I have done two things:

  (1) disabled winbindd
  (2) updated my smb.conf  (see below)
  (3) created a script for the connection logging I had before

<=========================v=v=v= Config (v2) =v=v=v=========================>

 1>>   [global]
 2>>     workgroup = AlwaysBIG
 3>>     encrypt passwords = false
 4>>     root preexec =  /bin/bash /etc/samba/connection.sh CONNECT    %T %S %P %U %m
 5>>     root postexec = /bin/bash /etc/samba/connection.sh DISCONNECT %T %S %P %U %m
 6>> 
 7>>   [homes]
 8>>     comment = Home Directories
 9>>     browseable = no
10>>     writable = yes
11>>     create mask = 0700
12>>     directory mask = 0700
13>>     valid users = %S

<=========================^=^=^= Config (v2) =^=^=^=========================>

As suggested, I disabled winbindd, and tried to include the "valid users" 
option, but it still failed on me.  I couldn't connect to the server,
and the symptom is similar to what I had before.

I also updated my smb.conf, and revised the "root preexec" and "root
postexec" options.  I also created a script for doing the logging, but,
still, nothing gets logged.

I really don't understand why.  I am puzzled.  Any help??

-- 
Joe C.K. Yau

More information about the Pkg-samba-maint mailing list