Bug#347304: samba: Should not add admin users to smbpasswd

Tue, 10 Jan 2006 02:03:47 -0800 

On Tue, Jan 10, 2006 at 08:29:22PM +1100, Andrew Bartlett wrote:
> On Tue, 2006-01-10 at 06:55 +0100, Christian Perrier wrote:
> > > All other system users will be allowed in, if they have a valid password
> > > when the smbpasswd is generated. I don't really see what's the need
> > > to have admin users like gdm, sshd, bin, daemon, sys, or identd (some
> > > of those are created by packages and are not default system users) allowed
> > > access through SMB. Granted, they don't have a valid password in most
> > > systems

> Indeed.  Just as these accounts don't have a password in /etc/passwd,
> they should exist as disabled accounts in Samba.

> >  but it might be better off, just in case, to improve the postinst
> > > so that only local users (i.e. uid over FIRST_UID as defined in 
> > > adduser.conf)
> > > are added to the smbpasswd file. 

> > > That could be a debconf question if the user asked to automatically 
> > > generate
> > > the smbpasswd file. Something like : "Do you want to add the admin users 
> > > to
> > > smbpasswd?" (low priority defaulting to 'no') 

> > My own opinion: I agree with Javier on the main idea of the bug
> > report. However, I don't think that the system users automatic
> > addition deserves a debconf question. I really see no point in
> > allowing system users to have a SMB "account" in a default setup
> > (which is was the automatically ge)nerated smbpasswd file is).

> > So I think we should keep it simple and just remove system users from
> > the list.

> > Be aware that adduser is not necessarily installed on all systems, so
> > a backup value (1000 probably) for the lowest UID should probably be used.

> All users should be added to the database, if they are going to own
> files or otherwise be visible in any way from the windows world.  This
> doesn't mean that they should have a valid login account (they should be
> disabled: double-check that). 

# pdbedit -u man -w
man:6:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[DU     
    ]:LCT-00000000:
#

IIRC, the '[D' indicates 'disabled'; and TTBOMK, that flag is being set upon
import using pdbedit.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
[EMAIL PROTECTED]                                   http://www.debian.org/

Attachment: signature.asc
Description: Digital signature

Reply via email to