On Tue, 2006-01-10 at 06:55 +0100, Christian Perrier wrote: > > All other system users will be allowed in, if they have a valid password > > when the smbpasswd is generated. I don't really see what's the need > > to have admin users like gdm, sshd, bin, daemon, sys, or identd (some > > of those are created by packages and are not default system users) allowed > > access through SMB. Granted, they don't have a valid password in most > > systems
Indeed. Just as these accounts don't have a password in /etc/passwd, they should exist as disabled accounts in Samba. > but it might be better off, just in case, to improve the postinst > > so that only local users (i.e. uid over FIRST_UID as defined in > > adduser.conf) > > are added to the smbpasswd file. > > > > That could be a debconf question if the user asked to automatically generate > > the smbpasswd file. Something like : "Do you want to add the admin users to > > smbpasswd?" (low priority defaulting to 'no') > > > My own opinion: I agree with Javier on the main idea of the bug > report. However, I don't think that the system users automatic > addition deserves a debconf question. I really see no point in > allowing system users to have a SMB "account" in a default setup > (which is was the automatically ge)nerated smbpasswd file is). > > So I think we should keep it simple and just remove system users from > the list. > > Be aware that adduser is not necessarily installed on all systems, so > a backup value (1000 probably) for the lowest UID should probably be used. All users should be added to the database, if they are going to own files or otherwise be visible in any way from the windows world. This doesn't mean that they should have a valid login account (they should be disabled: double-check that). As we move more and more down the path of samba correctness, the issue of accounts that exist in unix but not in the Samba database becomes increasingly painful. Things work better if they are all there. Feel free to bring this up on samba-technical for a fuller discussion. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net
signature.asc
Description: This is a digitally signed message part
