Winbindd change password request
abartlet at samba.org
Tue Jun 13 14:22:00 GMT 2006
On Tue, 2006-06-13 at 16:01 +0200, Alexey Kobozev wrote:
> Gerald (Jerry) Carter wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > Alexey Kobozev wrote:
> >> Actually we did a small patch to winbindd in order to try
> >> this out and when doing it from its context I don't need
> >> to know a thing about any credentials in order to search
> >> in any trusted AD domain. Using some external library I'll
> >> need credentials to bind to AD.
> >> I just though that if winbindd is already providing
> >> functionality to work with AD, it is a right place to
> >> put some searching capabilities in it.
> > Would you mind sending the patch ?
> > Piggy backing off the machine credentials which seems
> > in inappropriate to me for general searches, but I'd like
> > to see what you did before passing judgment.
> That's it - seems like it's not so good from security perspective -
> any user we'll be able to perform searches like that. Maybe making this
> functionality available for root only will make things better?
I'm a little lost how this would be different to 'net ads search -P', ie
using the machine account password from the secrets.tdb, except that you
could benefit from the DC location logic.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20060613/71350fb1/attachment.bin
More information about the samba-technical