winbindd - NT_STATUS_ACCESS_DENIED

Marc Kaplan MKaplan at snapappliance.com
Mon Oct 27 23:13:21 GMT 2003 

Andrew,
> NO, NO, NO!!!
> 
> That should be
> '--set-auth-user=NONadministrator%not-cared-about-password'
> 
> You should *never* put an administrative user into this.  You 
> should put
> a user you don't care about, preferably one that you created just for
> the purpose.  
> 
> If I see this 'advise' one more time, I'll put a special, load debug
> watch in wbinfo on the string 'Administrator'...
> 
> We only do this to get around the fact that we cannot do NTLM 
> logins as
> our machine account.  In AD, we use or machine account and 
> kerberos, to
> avoid this mess.

Ok, then why not an administrative user? What problems does it cause, and
why is it bad?

			-Marc


> -----Original Message-----
> From: Andrew Bartlett 
> Sent: Monday, October 27, 2003 2:36 PM
> To: Marc Kaplan
> Cc: 'Raphaël Berghmans'; samba-technical at lists.samba.org;
> samba at lists.samba.org
> Subject: RE: winbindd - NT_STATUS_ACCESS_DENIED
> 
> 
> On Tue, 2003-10-28 at 04:06, Marc Kaplan wrote:
> > Raphael,
> > 
> > I would guess that your NT4 domain has RestrictAnonymous set. Check
> > 
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Restri
> ctAnonymous.
> > If that is set to 1, you need to run wbinfo
> > --set-auth-user=administrator%administratorspw, and then 
> restart winbindd.
> 
> NO, NO, NO!!!
> 
> That should be
> '--set-auth-user=NONadministrator%not-cared-about-password'
> 
> You should *never* put an administrative user into this.  You 
> should put
> a user you don't care about, preferably one that you created just for
> the purpose.  
> 
> If I see this 'advise' one more time, I'll put a special, load debug
> watch in wbinfo on the string 'Administrator'...
> 
> We only do this to get around the fact that we cannot do NTLM 
> logins as
> our machine account.  In AD, we use or machine account and 
> kerberos, to
> avoid this mess.
> 
> Andrew Bartlett
> 
> -- 
> Andrew Bartlett                                 abartlet at pcug.org.au
> Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
> Student Network Administrator, Hawker College   abartlet at hawkerc.net
> http://samba.org     http://build.samba.org     http://hawkerc.net
>

More information about the samba-technical mailing list