[Samba] Win2k joining a Samba domain

Andrew Bartlett abartlet at samba.org
Wed Mar 10 10:59:32 GMT 2004

On Wed, 2004-03-10 at 18:11, John H Terpstra wrote:
> On Tue, 9 Mar 2004, Jim C. wrote:
> > Hash: SHA1
> >
> > Mr. Terpstra,
> > Are you saying that if I have a user account in ldap which is
> > responsible for admin, that it must be uid=root or that it must be
> > uidNumber=0? What about gid=root/gidNumber=0 for a group?  I have the
> > setup below and somethings do get done. Machines accounts are added
> > automatically and both Admin and root can authorize the joining of the
> > domain.  On a Mandrake system like mine the smbldap scripts belong to a
> > group named "adm" and uid=root belongs to this group also as well as to
> > the group "Domain Admins".
> Joining a domain involves adding a user account to your UNIX system.
> Normally only root can add/delete accounts. How secure do you think your
> UNIX system will be if anyone can add/delete accounts? How secure a world
> do we want?
> In short, the account that you use to create a domain member trust account
> for machines must have full administrative privilidge on the UNIX system.

That's the cop-out excuse.  The technical reason is a couple of
privilege checks that need more work, so that the very specific action
of 'add new machine to the domain' can be correctly and securely

Indeed, it is not a very secure system that requires that the root
password be so widely distributed... :-)

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20040310/fb679b2b/attachment.bin

More information about the samba mailing list