[Samba] PDC-LDAP password bug

Igor Wojnicki wojnicki at agh.edu.pl
Sat Feb 16 06:36:07 GMT 2002

hello there!

I've been using Samba-2-2-2 with some LDAP patches (concerning RIDs) as a
PDC for Win2Ksp2.
Recently I've upgraded to samba-2.2.3. LDAP works fine now, but with one

When one adds a W2k machine to the domain a username and password of domain
administrator must be supplied. I've created a user called smbadmin which
is "admin user" and "domain admin group". Furthermore a user called "root"
have to exist in LDAP database (it could be a bug too but it is acceptable
because the account could be disabled).  It worked perfectly for Samba2.2.2
but it doesn't work for 2.2.3 !!!  It seems that the only way to handle
adding W2k workstations to a domain is to use "root" account.  According to
logs when a user gets admin privilages samba tries to verify if the user's
password is the same as root's password. Furthermore root account have to
be enabled. This is a serious security hole !!!

Igor Wojnicki, wojnicki at agh.edu.pl

More information about the samba mailing list