Winbindd change password request
Alexey Kobozev
cobedump at gmail.com
Thu Jun 15 09:29:56 GMT 2006
Andrew Bartlett wrote:
> On Tue, 2006-06-13 at 16:01 +0200, Alexey Kobozev wrote:
>> Gerald (Jerry) Carter wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Alexey Kobozev wrote:
>>>
>>>> Actually we did a small patch to winbindd in order to try
>>>> this out and when doing it from its context I don't need
>>>> to know a thing about any credentials in order to search
>>>> in any trusted AD domain. Using some external library I'll
>>>> need credentials to bind to AD.
>>>>
>>>> I just though that if winbindd is already providing
>>>> functionality to work with AD, it is a right place to
>>>> put some searching capabilities in it.
>>> Would you mind sending the patch ?
>>>
>>> Piggy backing off the machine credentials which seems
>>> in inappropriate to me for general searches, but I'd like
>>> to see what you did before passing judgment.
>>>
>> That's it - seems like it's not so good from security perspective -
>> any user we'll be able to perform searches like that. Maybe making this
>> functionality available for root only will make things better?
>
> I'm a little lost how this would be different to 'net ads search -P', ie
> using the machine account password from the secrets.tdb, except that you
> could benefit from the DC location logic.
I'd like to do it programmatically without executing any binaries and
having any credentials. Let's say my program is stating under root,
making some calls to samba libraries to get machine credentials or to
open connections to DCs, change euid and continue to use opened
connections.
More information about the samba-technical
mailing list