[Samba] Non-root accounts cannot join the Samba PDC:s domain
BJörn Lindqvist
bjourne at gmail.com
Tue Sep 5 11:28:42 GMT 2006
> BJörn Lindqvist wrote:
> > It is inconsistent with other "net" commands. I.e:
> >
> > net rpc user info someuser
> >
> > where the name does not have to be fully qualified
>
> The net command is a kitchen sink that needs to be
> broken into multiple commands. You don't have to qualify
> the name in your example because it is implicitly
> qualified by the domain of the server you are connecting to.
I see, thanks.
> >> > net rpc rights grant Everybody SeMachineAccountPrivilege
> >>
> >> This is a security hole. I really would recommend
> >> against this. It's about the same as 'guest account = root'.
> >
> > Why? If it is, then how else do enable computers to
> > join your domain?
>
> It's the same as saying 'admin users = +users'.
>
> I suggest creating a group mapping (let's call it "Unix Admins")
> and then running
I still don't understand why this is a security hole. And even if
there is, I see no other way to solve my problem . There are a few
hundred computers all connected to a Windows Active Directory. They
need all to join the Samba domain. The only feasible way I know of
making the transistion is to give all users the
SeMachineAccountPrivilege and then have each user migrate his or her
own computer.
--
mvh Björn
More information about the samba
mailing list