[Samba] Win2k joining a Samba domain

Andrew Bartlett abartlet at samba.org
Wed Mar 10 10:59:32 GMT 2004 

On Wed, 2004-03-10 at 18:11, John H Terpstra wrote:
> On Tue, 9 Mar 2004, Jim C. wrote:
> 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Mr. Terpstra,
> > Are you saying that if I have a user account in ldap which is
> > responsible for admin, that it must be uid=root or that it must be
> > uidNumber=0? What about gid=root/gidNumber=0 for a group?  I have the
> > setup below and somethings do get done. Machines accounts are added
> > automatically and both Admin and root can authorize the joining of the
> > domain.  On a Mandrake system like mine the smbldap scripts belong to a
> > group named "adm" and uid=root belongs to this group also as well as to
> > the group "Domain Admins".
> 
> Joining a domain involves adding a user account to your UNIX system.
> Normally only root can add/delete accounts. How secure do you think your
> UNIX system will be if anyone can add/delete accounts? How secure a world
> do we want?
> 
> In short, the account that you use to create a domain member trust account
> for machines must have full administrative privilidge on the UNIX system.

That's the cop-out excuse.  The technical reason is a couple of
privilege checks that need more work, so that the very specific action
of 'add new machine to the domain' can be correctly and securely
delegated.

Indeed, it is not a very secure system that requires that the root
password be so widely distributed... :-)

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20040310/fb679b2b/attachment.bin

More information about the samba mailing list