Only allow SeMachineAccountPrivilege on machine accounts

Andrew Bartlett abartlet at
Wed Jan 26 21:31:07 GMT 2005

On Wed, 2005-01-26 at 09:24 -0600, Gerald (Jerry) Carter wrote:
> Hash: SHA1
> Andrew Bartlett wrote:
> | This patch restricts their operation to resetting
> | only the passwords of workstations.  This better matches
> | what I was expecting, and I hope it matches windows better.
> Andrew,
> After looking at this some more, I'm not sure it is quite
> correct.  It prevents any administrative user_info changes
> unless it is a machine account and the connected user
> posseses the SeMachineAccountPrivilege right.

Well spotted!  As you can see, the only thing I actually do over SAMR is
handle domain joins :-)

> This means that root can no longer set passwords for
> users either.  I'm going to clean this up and check it in.
> Let me know if you see any problems with the patch.

The new patch looks pretty good.  It is a lot closer to what 'right'
looks like in my mind, but a Samba4 torture test will inform this
better.  (Another thing for my TODO list :-)

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Student Network Administrator, Hawker College
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list