[Samba] Win2k joining a Samba domain
abartlet at samba.org
Wed Mar 10 10:59:32 GMT 2004
On Wed, 2004-03-10 at 18:11, John H Terpstra wrote:
> On Tue, 9 Mar 2004, Jim C. wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > Mr. Terpstra,
> > Are you saying that if I have a user account in ldap which is
> > responsible for admin, that it must be uid=root or that it must be
> > uidNumber=0? What about gid=root/gidNumber=0 for a group? I have the
> > setup below and somethings do get done. Machines accounts are added
> > automatically and both Admin and root can authorize the joining of the
> > domain. On a Mandrake system like mine the smbldap scripts belong to a
> > group named "adm" and uid=root belongs to this group also as well as to
> > the group "Domain Admins".
> Joining a domain involves adding a user account to your UNIX system.
> Normally only root can add/delete accounts. How secure do you think your
> UNIX system will be if anyone can add/delete accounts? How secure a world
> do we want?
> In short, the account that you use to create a domain member trust account
> for machines must have full administrative privilidge on the UNIX system.
That's the cop-out excuse. The technical reason is a couple of
privilege checks that need more work, so that the very specific action
of 'add new machine to the domain' can be correctly and securely
Indeed, it is not a very secure system that requires that the root
password be so widely distributed... :-)
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20040310/fb679b2b/attachment.bin
More information about the samba