Adding users with usrmgr.exe
Michael Glauche
mg at plum.de
Fri May 5 19:05:14 GMT 2000
--On Freitag, 5. Mai 2000 13:34 +1000 Peter Samuelson <peter at cadcamlab.org>
wrote:
>
>> > > smbpasswd is allways rw-------. samba changes to these permissions
>> > > when not using these ... so there is no way for an non-uid 0 account
>> > > to create a samba user :(
> [Luke Leighton]
>> > this is not good, it's got to go.
>
> [Jeremy Allison <jeremy at valinux.com>]
>> No, this is *essential* for security !
>
> Please, you two, don't go and have that argument again. (:
>
> Yes, it's (currently) essential that John Q. Public not be able to read
> smbpasswd (the file), but this could be just as well accomplished with
> smbpasswd (the utility) being setgid to a specialized group that has no
> power other than reading and writing smbpasswd (the file). smbpasswd
> (the utility) has no business being able to bind to low ports, change
> the system time, or read /var/spool/mail/*. Maybe we need:
>
> smbpasswd group = smbpass
>
> (default "smbpasswd group = 0")
Hmm .. I like that Idea. So you simply could put that group into the
"Domain Admin" group ...
regards,
Michael
More information about the samba-ntdom
mailing list