# samba,LDAP and security[solved]

## GNUtoo

i have a security problem with samba...

in backtrack that is a security livecd (http://www.remote-exploit.org) there is a program called smbdumpusers

```
smbdumpusers -i theipofthecomputer
```

and it gives nearly all my users(it doesn't work on my windows computer)

so in the #gentoo-hardened channel they told me to change the backend in order to see if it's pam/passwd

so i have done the following:

*re-emerge ldap and samba with the good use flags that are:

-kerberos

-samba

-ldap

*i started /etc/init.d/slapd

*i modified the smb.conf file

```
passdb backend = ldapsam:ldap://127.0.0.1/

ldap passwd sync = Yes

ldap suffix = dc=ldap,dc=net

ldap admin dn = cn=root,dc=ldap,dc=net

ldap ssl = start tls

ldap group suffix = ou=Groups

ldap user suffix = ou=Users

ldap machine suffix = ou=Computers

ldap idmap suffix = ou=Users

add user script = /usr/sbin/smbldap-useradd -m "%u"

ldap delete dn = Yes

#delete user script = /usr/sbin/smbldap-userdel "%u"

add machine script = /usr/sbin/smbldap-useradd -w "%u"

add group script = /usr/sbin/smbldap-groupadd -p "%g"

#delete group script = /usr/sbin/smbldap-groupdel "%g"

add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"

delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"

set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
```

and it doesn't work why?

```
# smbldap-useradd -a samba

failed to perform search; No such object at /usr/sbin//smbldap_tools.pm line 362.

Error looking for next uid at /usr/sbin//smbldap_tools.pm line 993.

```

from my log:

```
Jan 20 12:59:14 sempron slapd[10370]: conn=29 fd=15 ACCEPT from IP=127.0.0.1:4427 (IP=0.0.0.0:389)

Jan 20 12:59:15 sempron slapd[10370]: conn=29 op=0 EXT oid=1.3.6.1.4.1.1466.20037

Jan 20 12:59:15 sempron slapd[10370]: do_extended: unsupported operation "1.3.6.1.4.1.1466.20037"

Jan 20 12:59:15 sempron slapd[10370]: conn=29 op=1 BIND dn="cn=Manager,dc=idealx,dc=org" method=128

Jan 20 12:59:15 sempron slapd[10370]: conn=29 op=1 RESULT tag=97 err=49 text=

Jan 20 12:59:15 sempron slapd[10370]: conn=29 op=0 RESULT tag=120 err=2 text=unsupported extended operation

Jan 20 12:59:15 sempron rc-scripts: status:  stopped

Jan 20 12:59:15 sempron slapd[10370]: conn=29 op=2 SRCH base="dc=idealx,dc=org" scope=2 deref=2 filter="(&(?=undefined)(uid=samba))"

Jan 20 12:59:15 sempron slapd[10370]: do_search: invalid dn (sambaDomainName=IDEALX-NT,dc=idealx,dc=org)

Jan 20 12:59:15 sempron slapd[10370]: conn=29 op=3 SEARCH RESULT tag=101 err=34 nentries=0 text=invalid DN

Jan 20 12:59:15 sempron slapd[10370]: conn=29 op=2 SEARCH RESULT tag=101 err=32 nentries=0 text=

Jan 20 12:59:15 sempron slapd[10370]: conn=29 fd=15 closed (connection lost)
```

by the way i can't populate the database:

```
# smbldap-populate

Populating LDAP directory for domain IDEALX-NT (S-1-5-21-4205727931-4131263253-1851132061)

(using builtin directory structure)

adding new entry: dc=idealx,dc=org

failed to add entry: no global superior knowledge at /usr/sbin/smbldap-populate line 471, <GEN1> line 2.

adding new entry: ou=Users,dc=idealx,dc=org

failed to add entry: no global superior knowledge at /usr/sbin/smbldap-populate line 471, <GEN1> line 3.

adding new entry: ou=Groups,dc=idealx,dc=org

failed to add entry: no global superior knowledge at /usr/sbin/smbldap-populate line 471, <GEN1> line 4.

adding new entry: ou=Computers,dc=idealx,dc=org

failed to add entry: no global superior knowledge at /usr/sbin/smbldap-populate line 471, <GEN1> line 5.

adding new entry: ou=Idmap,dc=idealx,dc=org

failed to add entry: no global superior knowledge at /usr/sbin/smbldap-populate line 471, <GEN1> line 6.

adding new entry: uid=root,ou=Users,dc=idealx,dc=org

failed to add entry: no global superior knowledge at /usr/sbin/smbldap-populate line 471, <GEN1> line 7.

adding new entry: uid=nobody,ou=Users,dc=idealx,dc=org

failed to add entry: no global superior knowledge at /usr/sbin/smbldap-populate line 471, <GEN1> line 8.

adding new entry: cn=Domain Admins,ou=Groups,dc=idealx,dc=org

failed to add entry: no global superior knowledge at /usr/sbin/smbldap-populate line 471, <GEN1> line 9.

adding new entry: cn=Domain Users,ou=Groups,dc=idealx,dc=org

failed to add entry: no global superior knowledge at /usr/sbin/smbldap-populate line 471, <GEN1> line 10.

adding new entry: cn=Domain Guests,ou=Groups,dc=idealx,dc=org

failed to add entry: no global superior knowledge at /usr/sbin/smbldap-populate line 471, <GEN1> line 11.

adding new entry: cn=Domain Computers,ou=Groups,dc=idealx,dc=org

failed to add entry: no global superior knowledge at /usr/sbin/smbldap-populate line 471, <GEN1> line 12.

adding new entry: cn=Administrators,ou=Groups,dc=idealx,dc=org

failed to add entry: no global superior knowledge at /usr/sbin/smbldap-populate line 471, <GEN1> line 16.

adding new entry: cn=Account Operators,ou=Groups,dc=idealx,dc=org

failed to add entry: no global superior knowledge at /usr/sbin/smbldap-populate line 471, <GEN1> line 18.

adding new entry: cn=Print Operators,ou=Groups,dc=idealx,dc=org

failed to add entry: no global superior knowledge at /usr/sbin/smbldap-populate line 471, <GEN1> line 19.

adding new entry: cn=Backup Operators,ou=Groups,dc=idealx,dc=org

failed to add entry: no global superior knowledge at /usr/sbin/smbldap-populate line 471, <GEN1> line 20.

adding new entry: cn=Replicators,ou=Groups,dc=idealx,dc=org

failed to add entry: no global superior knowledge at /usr/sbin/smbldap-populate line 471, <GEN1> line 21.

adding new entry: sambaDomainName=IDEALX-NT,dc=idealx,dc=org

failed to add entry: no global superior knowledge at /usr/sbin/smbldap-populate line 471, <GEN1> line 21.

Please provide a password for the domain root:

No such object at /usr/sbin//smbldap_tools.pm line 341.

```

Last edited by GNUtoo on Wed Mar 14, 2007 3:42 pm; edited 3 times in total

----------

## GNUtoo

i have updated all configuration file but now i still have an error:

```
# smbldap-populate

Populating LDAP directory for domain GNUtoo.org (S-1-5-21-4205727931-4131263253-1851132061)

(using builtin directory structure)

adding new entry: dc=GNUtoo,dc=org

failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 2.

adding new entry: ou=Users,dc=GNUtoo,dc=org

failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 3.

adding new entry: ou=Groups,dc=GNUtoo,dc=org

failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 4.

adding new entry: ou=Computers,dc=GNUtoo,dc=org

failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 5.

adding new entry: ou=Idmap,dc=GNUtoo,dc=org

failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 6.

adding new entry: uid=root,ou=Users,dc=GNUtoo,dc=org

failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 7.

adding new entry: uid=nobody,ou=Users,dc=GNUtoo,dc=org

failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 8.

adding new entry: cn=Domain Admins,ou=Groups,dc=GNUtoo,dc=org

failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 9.

adding new entry: cn=Domain Users,ou=Groups,dc=GNUtoo,dc=org

failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 10.

adding new entry: cn=Domain Guests,ou=Groups,dc=GNUtoo,dc=org

failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 11.

adding new entry: cn=Domain Computers,ou=Groups,dc=GNUtoo,dc=org

failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 12.

adding new entry: cn=Administrators,ou=Groups,dc=GNUtoo,dc=org

failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 16.

adding new entry: cn=Account Operators,ou=Groups,dc=GNUtoo,dc=org

failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 18.

adding new entry: cn=Print Operators,ou=Groups,dc=GNUtoo,dc=org

failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 19.

adding new entry: cn=Backup Operators,ou=Groups,dc=GNUtoo,dc=org

failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 20.

adding new entry: cn=Replicators,ou=Groups,dc=GNUtoo,dc=org

failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 21.

adding new entry: sambaDomainName=IDEALX-NT,dc=GNUtoo,dc=org

failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 21.

Please provide a password for the domain root:

No such object at /usr/sbin//smbldap_tools.pm line 341.
```

----------

## GNUtoo

i solved the thing editing smbldap_bind.conf

----------

## GNUtoo

now i have the following error:

```
# smbldap-useradd -a samba

Error looking for next uid at /usr/sbin//smbldap_tools.pm line 993.

```

----------

## Roller

 *GNUtoo wrote:*   

> now i have the following error:
> 
> ```
> # smbldap-useradd -a samba
> 
> ...

 

I have the same Problem.

Have you been able to solve this?

----------

## sschlueter

 *GNUtoo wrote:*   

> i have a security problem with samba...
> 
> in backtrack that is a security livecd (http://www.remote-exploit.org) there is a program called smbdumpusers
> 
> ```
> ...

 

This behavior can be controlled by a global parameter called "restrict anonymous":

 *Quote:*   

> restrict anonymous (G)
> 
> The setting of this parameter determines whether user and group list information is returned for an anonymous connection. and mirrors the effects of the
> 
>     HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous
> ...

 

----------

## GNUtoo

 *Roller wrote:*   

>  *GNUtoo wrote:*   now i have the following error:
> 
> ```
> # smbldap-useradd -a samba
> 
> ...

 

yes i've solved my problem but i don't remember how...

search for GNUtoo in the samba mailing list

mabe the response is here:

http://lists.samba.org/archive/samba/2007-January/subject.htmlLast edited by GNUtoo on Wed Mar 14, 2007 3:02 pm; edited 1 time in total

----------

## GNUtoo

 *sschlueter wrote:*   

>  *GNUtoo wrote:*   i have a security problem with samba...
> 
> in backtrack that is a security livecd (http://www.remote-exploit.org) there is a program called smbdumpusers
> 
> ```
> ...

 

how do i add this?

do i add:

"restrict anonymous = 1" in smb.conf?

----------

## GNUtoo

i added it to smb.conf and it works

----------

