[Samba] RE: winbindd - NT_STATUS_ACCESS_DENIED

Mon, 27 Oct 2003 16:19:48 -0800 

Andrew,
> NO, NO, NO!!!
> 
> That should be
> '--set-auth-user=NONadministrator%not-cared-about-password'
> 
> You should *never* put an administrative user into this.  You 
> should put
> a user you don't care about, preferably one that you created just for
> the purpose.  
> 
> If I see this 'advise' one more time, I'll put a special, load debug
> watch in wbinfo on the string 'Administrator'...
> 
> We only do this to get around the fact that we cannot do NTLM 
> logins as
> our machine account.  In AD, we use or machine account and 
> kerberos, to
> avoid this mess.

Ok, then why not an administrative user? What problems does it cause, and
why is it bad?

                        -Marc


> -----Original Message-----
> From: Andrew Bartlett 
> Sent: Monday, October 27, 2003 2:36 PM
> To: Marc Kaplan
> Cc: 'Rapha�l Berghmans'; [EMAIL PROTECTED];
> [EMAIL PROTECTED]
> Subject: RE: winbindd - NT_STATUS_ACCESS_DENIED
> 
> 
> On Tue, 2003-10-28 at 04:06, Marc Kaplan wrote:
> > Raphael,
> > 
> > I would guess that your NT4 domain has RestrictAnonymous set. Check
> > 
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Restri
> ctAnonymous.
> > If that is set to 1, you need to run wbinfo
> > --set-auth-user=administrator%administratorspw, and then 
> restart winbindd.
> 
> NO, NO, NO!!!
> 
> That should be
> '--set-auth-user=NONadministrator%not-cared-about-password'
> 
> You should *never* put an administrative user into this.  You 
> should put
> a user you don't care about, preferably one that you created just for
> the purpose.  
> 
> If I see this 'advise' one more time, I'll put a special, load debug
> watch in wbinfo on the string 'Administrator'...
> 
> We only do this to get around the fact that we cannot do NTLM 
> logins as
> our machine account.  In AD, we use or machine account and 
> kerberos, to
> avoid this mess.
> 
> Andrew Bartlett
> 
> -- 
> Andrew Bartlett                                 [EMAIL PROTECTED]
> Manager, Authentication Subsystems, Samba Team  [EMAIL PROTECTED]
> Student Network Administrator, Hawker College   [EMAIL PROTECTED]
> http://samba.org     http://build.samba.org     http://hawkerc.net
> 
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Reply via email to