Sean Noonan
2002-Nov-05 16:21 UTC
[Samba] Security Question: passwordless machine accounts
Hi folks, Finally got Samba up and running after many oplock issues and I'm very pleased. One "detail" left that bothers me. I'm running FreeBSD 4.7-STABLE on our PDC and every night I'm (root) is emailed a security report. Among the items reported is: Checking for passwordless accounts: . . CLIENT01$::1134:1134::0:0:Machine CLIENT01:/dev/null:/sbin/nologin . Should I be telling myself this is okay, since it's mitigated by using the /sbin/nologin shell? Since the machine has already successfully joined the domain can I now just assign the machine a password? Won't that break the trust relationship already setup? Can anything be done, or should I just shrug this one off? Thanks in advance, Sean
Gerald (Jerry) Carter
2002-Nov-07 16:40 UTC
[Samba] Security Question: passwordless machine accounts
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 5 Nov 2002, Sean Noonan wrote:> Hi folks, > > Finally got Samba up and running after many oplock issues and I'm very > pleased. One "detail" left that bothers me. I'm running FreeBSD 4.7-STABLE > on our PDC and every night I'm (root) is emailed a security report. Among > the items reported is: > > Checking for passwordless accounts: > . > . > CLIENT01$::1134:1134::0:0:Machine CLIENT01:/dev/null:/sbin/nologin > . > > Should I be telling myself this is okay, since it's mitigated by using the > /sbin/nologin shell? Since the machine has already successfully joined the > domain can I now just assign the machine a password? Won't that break the > trust relationship already setup? Can anything be done, or should I just > shrug this one off?The password in /etc/passwd is never used for machine accounts. Just lock the password entry. cheers, jerry --------------------------------------------------------------------- Hewlett-Packard ------------------------- http://www.hp.com SAMBA Team ---------------------- http://www.samba.org GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc ISBN 0-672-32269-2 "SAMS Teach Yourself Samba in 24 Hours" 2ed "I never saved anything for the swim back." Ethan Hawk in Gattaca -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE9ypcjIR7qMdg1EfYRAq+KAKDG3LVTnxofguCxRryxpt88amaGYgCfckGw pFZPRo7FbVwR2Gik1rwhN1o=0YCb -----END PGP SIGNATURE-----