Only allow SeMachineAccountPrivilege on machine accounts

Gerald (Jerry) Carter jerry at samba.org
Tue Jan 25 14:33:10 GMT 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andrew Bartlett wrote:
| Currently, the user holding the MachineAccount priv is as
| powerful as the domain admin, as they can reset passwords
| at will.
|
| This patch restricts their operation to resetting only
| the passwords of workstations.  This better matches what
| I was expecting, and I hope it matches windows better.

Looks good.  Thanks andrew.

| The code in the create_user function also needs a similar
| treatment - a person with only machineAccount privileges
| should not be able to create user, DC or any other
| accounts, just because they chose a $ termination.
|
| I realise we have a comment from JFM in there, but I
| can't see how to securely handle the circumstance it
| describes, and I've never seen it myself.

I'd err on the side of caution I think.  Tighten the noose
and loosen it as necessary.  I'll look at it today.

Thanks again.



cheers, jerry
=====================================================================
Alleviating the pain of Windows(tm)      ------- http://www.samba.org
GnuPG Key                ----- http://www.plainjoe.org/gpg_public.asc
"I never saved anything for the swim back."     Ethan Hawk in Gattaca
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFB9limIR7qMdg1EfYRAu1zAKDUjrgUulU0YcBrbbq2/v9kniFk2ACgjsid
+bDJvhfXYJlW541CkYu8DeE=
=Pqaa
-----END PGP SIGNATURE-----


More information about the samba-technical mailing list