On Wed, 2004-01-21 at 02:24, Shawn Iverson wrote: > I am currently working on implementing unified logons between linux and win > computers on an NT4 domain. I have a samba test server with winbind working > properly. All is going well, except that I am concerned about the winbind > idmap database stored on the local linux workstations. My current > understanding of winbind is that it must be on every machine, unless an > winbind samba ldap backend/pam_smb combination is used.
You should never use pam_smb. You should always use pam_winbind, particularly as you are already using winbindd :-) The idmap ldap backend is about ensuring a consistant UID mapping on each machine, so things like NFS do not break. > However, with the > latter, all the features that winbind supports are lost since winbind is not > running on the local machine (such as changing ones password) so I currently > see no other way of implementing winbind. Why are you not running winbind on each machine? I'm a bit confused - the idea is that you run winbindd on each client, so that they can participate in the domain. > What will keep a user from reading /var/cache/samba/winbind_cache.tdb and > winbind_idmap.tdb? I know that the owner is root and that the each has the > permissions 0600 (idmap had 0644, but I changed it to 0600). Despite that, > isn't it easy enough for a user to crack the filesystem and gain access to > these databases if so he/she wished? Indeed - but they could also run 'getent group' and 'getent passwd' - it's much faster ;-). This information is available to any user who is in the domain. > I am especially concerned about this > because the cache and idmap contain information on what users and groups > exist on the network and who belongs to what group. Is this not a potential > security concern? For example, if a user gained access to these databases, > they could identify all domain administrator accounts, correct? > > Perhaps there is a way to implement winbind so as to not have the cache and > idmaps stored locally and still retain winbind's functionality. If anyone > knows how I would be very interested. I think you are looking for problems that don't exist. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
signature.asc
Description: This is a digitally signed message part
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
