Only allow SeMachineAccountPrivilege on machine accounts
abartlet at samba.org
Wed Jan 26 21:31:07 GMT 2005
On Wed, 2005-01-26 at 09:24 -0600, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Andrew Bartlett wrote:
> | This patch restricts their operation to resetting
> | only the passwords of workstations. This better matches
> | what I was expecting, and I hope it matches windows better.
> After looking at this some more, I'm not sure it is quite
> correct. It prevents any administrative user_info changes
> unless it is a machine account and the connected user
> posseses the SeMachineAccountPrivilege right.
Well spotted! As you can see, the only thing I actually do over SAMR is
handle domain joins :-)
> This means that root can no longer set passwords for
> users either. I'm going to clean this up and check it in.
> Let me know if you see any problems with the patch.
The new patch looks pretty good. It is a lot closer to what 'right'
looks like in my mind, but a Samba4 torture test will inform this
better. (Another thing for my TODO list :-)
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050127/44059b6b/attachment.bin
More information about the samba-technical