[Samba] Samba/LDAP documentation

Craig White craigwhite at azapple.com
Sun Feb 13 21:50:21 GMT 2005


On Sun, 2005-02-13 at 22:06 +0100, Tony Earnshaw wrote: 
> Craig White:
> 
> My Win XP prof machine accepts any RID whatsoever for Administrator.
> Maybe a Win 2000 machine wouldn't. Moreover, using USRMGR/SRVMGR it
> issues out-of-context RIDS (e.g. 513 for a computer). It coexists with
> and accepts these quite happily. As I wrote, there are exceptions to all
> HOWTOs ;)
---
as the admin of a system, you have control over all of this and can
implement or not implement 'expected Windows conventions' as you see fit
and find workable for you and your users.

Samba sees machine accounts in a similar context as a user account -
needs local account, needs sambaNTPassword attributes, etc.
--- 
> >  and uidNumber: 0
> > if you expect this account to have root privileges...necessary to be
> > able to join machines to domain (subject to the following
> > conditions...you not have another account with uidNumber: 0 in the DSA
> > i.e. root AND subject to anticipated changes in Policy objects) and
> > other privileged operations that may be required for samba use.
> 
> I also wrote that there is *NO WAY* any UID other than root will get
> uidNumber 0 or gidNumber 0 on any Unix/Linux machine I administer. I
> have a serious problem with this. Think: you are empowering a probably
> clueless NTadmin running provenly corrupt software, subject to weekly
> security fixes, superuser access to one of your most valuable assets.
> Nobody cares if a Windows user box gets corrupted, everybody expects it,
> in fact.  But neither it or the probable idiot administering it should
> be allowed to ...
----
perhaps I am just dense but my loginShell: /bin/false seems to me to
contain the activities of the 'Administrator' account to Windows
operations.

Craig



More information about the samba mailing list