[Samba] RE: winbindd - NT_STATUS_ACCESS_DENIED
Marc Kaplan
MKaplan at snapappliance.com
Mon Oct 27 23:43:18 GMT 2003
> It is always considers a 'bad thing' to store an
> administrators password
> in plaintext on the system.
Thanks Andrew, I'm glad I know why this is bad. Since many people don't use
their Administrators account, and instead use a different user account for
administration, I think it would be useful to make this as a generic note in
the --help and the man page for wbinfo.
I would say though, that there is nothing wrong with storing their
administrative user and password in a .tdb, so long as the user is aware of
it.
-Marc
> -----Original Message-----
> From: Andrew Bartlett
> Sent: Monday, October 27, 2003 3:36 PM
> To: Marc Kaplan
> Cc: Andrew Bartlett; samba at lists.samba.org;
> samba-technical at lists.samba.org
> Subject: Re: [Samba] RE: winbindd - NT_STATUS_ACCESS_DENIED
>
>
> On Tue, 2003-10-28 at 10:13, Marc Kaplan wrote:
> > Andrew,
> > > NO, NO, NO!!!
> > >
> > > That should be
> > > '--set-auth-user=NONadministrator%not-cared-about-password'
> > >
> > > You should *never* put an administrative user into this. You
> > > should put
> > > a user you don't care about, preferably one that you
> created just for
> > > the purpose.
> > >
> > > If I see this 'advise' one more time, I'll put a special,
> load debug
> > > watch in wbinfo on the string 'Administrator'...
> > >
> > > We only do this to get around the fact that we cannot do NTLM
> > > logins as
> > > our machine account. In AD, we use or machine account and
> > > kerberos, to
> > > avoid this mess.
> >
> > Ok, then why not an administrative user? What problems does
> it cause, and
> > why is it bad?
>
> It is always considers a 'bad thing' to store an
> administrators password
> in plaintext on the system. Firstly, because administrative passwords
> should be changed regularly, but more importantly, there is simply no
> reason to open up such a gaping security hole. It isn't
> hard to simply
> pull that password back out of the secrets.tdb...
>
> Winbindd only needs to be 'not anonymous', it doesn't need any powers
> beyond that.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett abartlet at pcug.org.au
> Manager, Authentication Subsystems, Samba Team abartlet at samba.org
> Student Network Administrator, Hawker College abartlet at hawkerc.net
> http://samba.org http://build.samba.org http://hawkerc.net
>
More information about the samba-technical
mailing list