Gerald (Jerry) Carter write:
Sergey Loskutov wrote: | Hello! | | Before this post, i'm send 3 problems in 3.0.11 | I'm compiled 3.0.12rc1 and found next: | | 1) Settings primary group .... problem solved, but question to developer | You append to mapping.c in smb_set_primary_group | ret = smbrun(add_script,NULL); | flush_pwnam_cache(); | ^^^^^^^^^^^^^^^^^^^^ | But not check ret code .....if my script exit in code != 0, i'm change | primary group ... ( script "set primary group" still needed ? )
It's just flushing the internal pwnam cache. Semantically this is ok. Probably not optimal. I'll look at it later.
I'm know that you flushing the cache... but thank you
| 3) I'm analized problems 1 | ( user who not have privileges "add machine account" ) | | In function _samr_create_user ( srv_samr_nt.c ) you have code: | | if ( can_add_account ) | become_root(); | | And if user not have privileges(user|machine) you MAY CREATE USER ( | posix account or machine account ) through SCRIPT :((((( | | I'm change code to: | | if ( can_add_account == False ) { | return NT_STATUS_ACCESS_DENIED; | } | it's fixed problem .... | I'm do simple test and is work correct, ... but i'm do | not full test.
I've thought about this before. The problem is actually that your 'add user script' can be run successfully as a non-root user. A simple 'chmod 700 <script>; chown root <script>' will solve this. I'll look at it some more but this is not a pressing issue I don't think. smbd is not doing anything that the normal user couldn't do anyways. And your fix doesn't cover all the possible scenarios (e.g. root user with no assigned privileges should still be able to join clients to the domain).
NO NO NO settings chmod or chown ..... Why need privileges ? :) I'm want settings privileges add machine to user, who not members in root ....
Sample :)
chmod 770 <script>; chown root."smart man" <script>; Look good :)
User: John ( member in "smart man" ) User: Leon ( member in "smart man" )
I want give privileges for John, but not for Leon ... :)
Why i must use setfacl|getfacl ..... i'm have privileges ..... you decision ... bad
And anyway user who have uidNumber == 0 and not having privileges, not able join machine and users ;) i'm checked this before send code.
And why i'm permit execute script if code semantic not allowed use ldap not member in root ? Check you ldap code ;)
Thanks you help !
Sergey Loskutov -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
