[Samba] RE: winbindd - NT_STATUS_ACCESS_DENIED
Andrew Bartlett
abartlet at samba.org
Mon Oct 27 23:36:10 GMT 2003
On Tue, 2003-10-28 at 10:13, Marc Kaplan wrote:
> Andrew,
> > NO, NO, NO!!!
> >
> > That should be
> > '--set-auth-user=NONadministrator%not-cared-about-password'
> >
> > You should *never* put an administrative user into this. You
> > should put
> > a user you don't care about, preferably one that you created just for
> > the purpose.
> >
> > If I see this 'advise' one more time, I'll put a special, load debug
> > watch in wbinfo on the string 'Administrator'...
> >
> > We only do this to get around the fact that we cannot do NTLM
> > logins as
> > our machine account. In AD, we use or machine account and
> > kerberos, to
> > avoid this mess.
>
> Ok, then why not an administrative user? What problems does it cause, and
> why is it bad?
It is always considers a 'bad thing' to store an administrators password
in plaintext on the system. Firstly, because administrative passwords
should be changed regularly, but more importantly, there is simply no
reason to open up such a gaping security hole. It isn't hard to simply
pull that password back out of the secrets.tdb...
Winbindd only needs to be 'not anonymous', it doesn't need any powers
beyond that.
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20031028/09c4d817/attachment.bin
More information about the samba
mailing list