Plans for pdb_ads and auth_netlogond?

Volker Lendecke Volker.Lendecke at SerNet.DE
Thu Jun 21 00:18:29 MDT 2012

On Thu, Jun 21, 2012 at 08:57:49AM +1000, Andrew Bartlett wrote:
> Sadly the code you so defend does not achieve either of these aims.  It
> only changes the full, unfettered access to the password db from being
> direct access to tdb files to SYSTEM access over ldapi://.  The

I still see it as different if we only can do LDAP requests
over whatever transport might be there. There can be many
more consistency checks that you can do over giving smbd the
right to do a pwrite() on sam.ldb. My *opinion* (sorry to
utter an opinion again :-( ) is that you can do much more
subtle harm with that pwrite.


SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen, mailto:kontakt at

More information about the samba-technical mailing list