On Tue, 2003-10-28 at 10:13, Marc Kaplan wrote: > Andrew, > > NO, NO, NO!!! > > > > That should be > > '--set-auth-user=NONadministrator%not-cared-about-password' > > > > You should *never* put an administrative user into this. You > > should put > > a user you don't care about, preferably one that you created just for > > the purpose. > > > > If I see this 'advise' one more time, I'll put a special, load debug > > watch in wbinfo on the string 'Administrator'... > > > > We only do this to get around the fact that we cannot do NTLM > > logins as > > our machine account. In AD, we use or machine account and > > kerberos, to > > avoid this mess. > > Ok, then why not an administrative user? What problems does it cause, and > why is it bad?
It is always considers a 'bad thing' to store an administrators password in plaintext on the system. Firstly, because administrative passwords should be changed regularly, but more importantly, there is simply no reason to open up such a gaping security hole. It isn't hard to simply pull that password back out of the secrets.tdb... Winbindd only needs to be 'not anonymous', it doesn't need any powers beyond that. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
signature.asc
Description: This is a digitally signed message part
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
