[Samba] Debugging Privilege and Samba 3.0.11

Ilia Chipitsine ilia at paramon.ru
Sat Feb 26 07:31:47 GMT 2005

> |
> | You're foolish if you think anyone with local
> | access to a workstation can't get into the
> | Admin account on their local machine.
> WoW!   That was a really helpful response!
> And while correct, doesn't do anything to help
> the original poster.
> If I have an employee and I'll them I'm not
> going to give you admin access.  And then the
> hack the box using local physical access, i'll
> just fire them.  Problem solved.  No more physical
> access.

It's almost impossible to fire people for that.
Due to statistics about one of hundred employee has
psychological deviations which cause him/here to "investigate"
something. In out company such an investigator pretty regularly
stays over the night in order to reinstall Windows just because
it's getting unusable after his actions once in a week.

People do not change and it's better to take them as they are than to fire 

> The answer is that you create a domain group on
> the Samba server; add the users to that group,
> the assign that SID the SeDebugPrivilege right
> on the individual machines (not of the Samba DC).
> user rights are local to the machine on which they
> are assigned.

another helpful information is to use SECEDIT for unattended installation
to automate such an operation. Samba domain doesn't support GPO theese 
days, and assigning rights can be done either manually or by SECEDIT tool.

> cheers, jerry
> Version: GnuPG v1.2.5 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> tZoLyWOlvj9P3RiiqIJcUNg=
> =M3kc
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list