Only allow SeMachineAccountPrivilege on machine accounts
Gerald (Jerry) Carter
jerry at samba.org
Tue Jan 25 14:33:10 GMT 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Andrew Bartlett wrote:
| Currently, the user holding the MachineAccount priv is as
| powerful as the domain admin, as they can reset passwords
| at will.
|
| This patch restricts their operation to resetting only
| the passwords of workstations. This better matches what
| I was expecting, and I hope it matches windows better.
Looks good. Thanks andrew.
| The code in the create_user function also needs a similar
| treatment - a person with only machineAccount privileges
| should not be able to create user, DC or any other
| accounts, just because they chose a $ termination.
|
| I realise we have a comment from JFM in there, but I
| can't see how to securely handle the circumstance it
| describes, and I've never seen it myself.
I'd err on the side of caution I think. Tighten the noose
and loosen it as necessary. I'll look at it today.
Thanks again.
cheers, jerry
=====================================================================
Alleviating the pain of Windows(tm) ------- http://www.samba.org
GnuPG Key ----- http://www.plainjoe.org/gpg_public.asc
"I never saved anything for the swim back." Ethan Hawk in Gattaca
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFB9limIR7qMdg1EfYRAu1zAKDUjrgUulU0YcBrbbq2/v9kniFk2ACgjsid
+bDJvhfXYJlW541CkYu8DeE=
=Pqaa
-----END PGP SIGNATURE-----
More information about the samba-technical
mailing list