[Samba] RE: winbindd - NT_STATUS_ACCESS_DENIED

Andrew Bartlett abartlet at samba.org
Mon Oct 27 23:36:10 GMT 2003

On Tue, 2003-10-28 at 10:13, Marc Kaplan wrote:
> Andrew,
> > NO, NO, NO!!!
> > 
> > That should be
> > '--set-auth-user=NONadministrator%not-cared-about-password'
> > 
> > You should *never* put an administrative user into this.  You 
> > should put
> > a user you don't care about, preferably one that you created just for
> > the purpose.  
> > 
> > If I see this 'advise' one more time, I'll put a special, load debug
> > watch in wbinfo on the string 'Administrator'...
> > 
> > We only do this to get around the fact that we cannot do NTLM 
> > logins as
> > our machine account.  In AD, we use or machine account and 
> > kerberos, to
> > avoid this mess.
> Ok, then why not an administrative user? What problems does it cause, and
> why is it bad?

It is always considers a 'bad thing' to store an administrators password
in plaintext on the system.  Firstly, because administrative passwords
should be changed regularly, but more importantly, there is simply no
reason to open up such a gaping security hole.   It isn't hard to simply
pull that password back out of the secrets.tdb...

Winbindd only needs to be 'not anonymous', it doesn't need any powers
beyond that.  

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20031028/09c4d817/attachment.bin

More information about the samba-technical mailing list