On Sat, 2012-02-04 at 21:12 +0100, NdK wrote:> Hello all.
>
> I only recently discovered 'net ads search'. But it seems
'-P' can only
> be used by root, while I'd need to let 'radius' user do
searches.
> Is it "dangerous" if I make it rw for 'radius' group (or
a new group
> I'll make 'radius' user a member)?
This will essentially make radius run as root, as users with access to
secrets.tdb can fake incoming kerberos tickets for any user.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org