(Apologies to the list for the double posting...I was having email issues and wan't sure that my emails were even leaving my domain.)
> From: Andrew Bartlett [mailto:[EMAIL PROTECTED] > Sent: Tuesday, January 20, 2004 9:51 PM > You should never use pam_smb. You should always use pam_winbind, > particularly as you are already using winbindd :-) Are there security problems with pam_smb? I know that its only apparent function is to validate passwords on a Samba/NT server. It lacks much of the functionality for which I am looking. > The idmap ldap backend is about ensuring a consistant UID mapping on > each machine, so things like NFS do not break. > > > However, with the > > latter, all the features that winbind supports are lost > since winbind is not > > running on the local machine (such as changing ones > password) so I currently > > see no other way of implementing winbind. > > Why are you not running winbind on each machine? I'm a bit confused - > the idea is that you run winbindd on each client, so that they can > participate in the domain. Believe me, I have been quite confused myself! I was originally led to believe that winbind belonged only on a server and that clients did not need it at all, that somehow they accessed the server for winbind support. I have learned since that this is definitely not the case. > > What will keep a user from reading > /var/cache/samba/winbind_cache.tdb and > > winbind_idmap.tdb? I know that the owner is root and that > the each has the > > permissions 0600 (idmap had 0644, but I changed it to > 0600). Despite that, > > isn't it easy enough for a user to crack the filesystem and > gain access to > > these databases if so he/she wished? > > Indeed - but they could also run 'getent group' and 'getent passwd' - > it's much faster ;-). This information is available to any > user who is > in the domain. I found out that setting winbind enum users=no and winbind enum groups=no prevents getent from displaying domain information. I am unsure of the potential consequences of turning off enumeration, though. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
