Falko Trojahn wrote : > le dahut ecrit: >> I hope there will be a way to use computer account because I can't let >> a share writeable to "nobody" nor I can use a domain account for WPKG >> client. Those 2 solutions are not secure enough. > I use log- and status-writing to samba share without problems, running > wpkg client as system account as usual. > > We have: > > - a share writeable for admins and for "wpkg" user > - all folders within this share readable for wpkg user and writeable to > admins > - folders "status" and "logs" writeable for wpkg user > > Since wpkg user and password are only known to admins, I think this > could be a possible solution > for you, too. > > > Regards, > Falko > > The problem is that a workstation can be compromised. If a compromising occurs, the wpkg user's password will be know and thus will have to be changed and updated on all workstations. Having a different password for every workstation increases security and shorts the administration tasks by not having to maintain a special account for WPKG and not having to update every workstation when wpkg user's password has been discovered. The configuration file "settings.xml" must contain the password to permit an easy installation of WPKG client and so cannot be copied in a public share/web Web, FTP, etc. repository. This points the massive deployment of WPKG where administrators of multiple sites (each sites has it own PDC) who want a centralised WPKG management. They could copy "config.xml" and "settings.xml" (and other WPKG .xml files hosts/packages/profiles) in a public share and write a scheduled script that downloads it and so thousands workstations could be updated like this. But this can work only with computer account or another authentication method using a different password for each computer. This could also work with no write access to a "guest = ok" WPKG share. But this implies that all the .exe .msi would be accessible for everyone... Of course one would answer me : Or, more easy, some people have their own laptop which they use at work, which can log on the domain at work... At home, users are "Administrator" on their computers... ;-) This is not a critique. It are only some points of view that I have from my position and which, I think, could help for futur reflection about WPKG improvement. I understand also that WPKG is conceived to work with SMB/CIFS protocol with the restriction that it imposes. K. |