[SAMBA] How to stop winbindd from granitng UID=0? Security hole?

[Molot]

I have domain controller on Windows 2003.
On the client side standard installation of samba 3.0.1? ldap,
kerberos and winbindd.

Setup should allow all users from domain login to all client's
services (console, ssh and so on) using domain name and password. Ok,
we have acquired this point.
It aslo should be possible to login simply by writing "Login:
MyDomainUsername", but with keeping possibility to log on with only
local username. If the same name is in domain and in local, it should
be checked first in domain, next in local (for the user to be able to
login even if net is down). We acquired that too.

But now there is a real problem. There is a domain user root. If the
domain is present, we can login to the client with putting simple
"root" as a username, and using domain password. And we are actually
getting uid 0, so we are real root, not just dorm user with
funny-looking username.
Of course this behaviour is great for normal (unprivileaged) user
account, but not for root account.

So, domain operators can have root domain acocunt and this way get
root acces to all linux boxes with this setup.

Does anyone know how can I stop it?
I'll post configs if requested, but maybe it is just a simple problem...

-- 
--------------->
Advocatus Diaboli - someone should do this job.

some kind of Molot
some kind of monster ;)

jid:molot at mruk.net
alt mailto:molot at mruk.net
gg:4588787
--------------->
--