[Samba] Security Question: passwordless machine accounts
Gerald (Jerry) Carter
jerry at samba.org
Thu Nov 7 16:40:01 GMT 2002
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, 5 Nov 2002, Sean Noonan wrote:
> Hi folks,
>
> Finally got Samba up and running after many oplock issues and I'm very
> pleased. One "detail" left that bothers me. I'm running FreeBSD 4.7-STABLE
> on our PDC and every night I'm (root) is emailed a security report. Among
> the items reported is:
>
> Checking for passwordless accounts:
> .
> .
> CLIENT01$::1134:1134::0:0:Machine CLIENT01:/dev/null:/sbin/nologin
> .
>
> Should I be telling myself this is okay, since it's mitigated by using the
> /sbin/nologin shell? Since the machine has already successfully joined the
> domain can I now just assign the machine a password? Won't that break the
> trust relationship already setup? Can anything be done, or should I just
> shrug this one off?
The password in /etc/passwd is never used for machine accounts. Just lock
the password entry.
cheers, jerry
---------------------------------------------------------------------
Hewlett-Packard ------------------------- http://www.hp.com
SAMBA Team ---------------------- http://www.samba.org
GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc
ISBN 0-672-32269-2 "SAMS Teach Yourself Samba in 24 Hours" 2ed
"I never saved anything for the swim back." Ethan Hawk in Gattaca
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/
iD8DBQE9ypcjIR7qMdg1EfYRAq+KAKDG3LVTnxofguCxRryxpt88amaGYgCfckGw
pFZPRo7FbVwR2Gik1rwhN1o=
=0YCb
-----END PGP SIGNATURE-----
More information about the samba
mailing list