[Samba] RE: winbindd - NT_STATUS_ACCESS_DENIED

Marc Kaplan MKaplan at snapappliance.com
Mon Oct 27 23:43:18 GMT 2003 

> It is always considers a 'bad thing' to store an 
> administrators password
> in plaintext on the system.
Thanks Andrew, I'm glad I know why this is bad. Since many people don't use
their Administrators account, and instead use a different user account for
administration, I think it would be useful to make this as a generic note in
the --help and the man page for wbinfo. 

I would say though, that there is nothing wrong with storing their
administrative user and password in a .tdb, so long as the user is aware of
it.

		-Marc


> -----Original Message-----
> From: Andrew Bartlett 
> Sent: Monday, October 27, 2003 3:36 PM
> To: Marc Kaplan
> Cc: Andrew Bartlett; samba at lists.samba.org;
> samba-technical at lists.samba.org
> Subject: Re: [Samba] RE: winbindd - NT_STATUS_ACCESS_DENIED
> 
> 
> On Tue, 2003-10-28 at 10:13, Marc Kaplan wrote:
> > Andrew,
> > > NO, NO, NO!!!
> > > 
> > > That should be
> > > '--set-auth-user=NONadministrator%not-cared-about-password'
> > > 
> > > You should *never* put an administrative user into this.  You 
> > > should put
> > > a user you don't care about, preferably one that you 
> created just for
> > > the purpose.  
> > > 
> > > If I see this 'advise' one more time, I'll put a special, 
> load debug
> > > watch in wbinfo on the string 'Administrator'...
> > > 
> > > We only do this to get around the fact that we cannot do NTLM 
> > > logins as
> > > our machine account.  In AD, we use or machine account and 
> > > kerberos, to
> > > avoid this mess.
> > 
> > Ok, then why not an administrative user? What problems does 
> it cause, and
> > why is it bad?
> 
> It is always considers a 'bad thing' to store an 
> administrators password
> in plaintext on the system.  Firstly, because administrative passwords
> should be changed regularly, but more importantly, there is simply no
> reason to open up such a gaping security hole.   It isn't 
> hard to simply
> pull that password back out of the secrets.tdb...
> 
> Winbindd only needs to be 'not anonymous', it doesn't need any powers
> beyond that.  
> 
> Andrew Bartlett
> 
> -- 
> Andrew Bartlett                                 abartlet at pcug.org.au
> Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
> Student Network Administrator, Hawker College   abartlet at hawkerc.net
> http://samba.org     http://build.samba.org     http://hawkerc.net
>

More information about the samba mailing list