Web lists-archives.com

Re: [Samba] Best practice for creating an RO LDAP User in AD...




On Tue, 7 Nov 2017 19:24:10 +0100
Marco Gaiarin via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Mandi! Denis Cardon via samba
>   In chel di` si favelave...
> 
> > You can put your service accounts in an OU and add a GPO that deny
> > logon/services/tasks locally.
> 
> Shortly come back.
> 
> I've created a 'Restricted' OU, a 'Restricted' group (i'm short in
> fantasy, today ;) and i've created an 'mta' user, both user and group
> in 'Restricted' OU, of course.
> And i've added 'mta' to 'Restricted' group.
> 
> Clearly, in an DC, a xID get assigned to group:
> 
> 	root@vdcsv1:~# getent group Restricted
> 	LNFFVG\restricted:x:3000026:
> 
> but by the same way 'mta' user get by default the 'Domain Users' group
> (and others, seems):
> 
> 	root@vdcsv1:~# getent passwd mta
> 	LNFFVG\mta:*:3000025:10513:MTA Restricted:/home/mta:/bin/bash
> 	root@vdcsv1:~# id mta
> 	uid=3000025(LNFFVG\mta) gid=10513(LNFFVG\domain users)
> gruppi=10513(LNFFVG\domain
> users),3000025(LNFFVG\mta),3000026(LNFFVG\restricted),3000009(BUILTIN\users)
> 
> Ok, some question:
> 
> a) it make sense to modify the 'primaryGroupID: 513' so 'mta' are not
>  member of 'Domain Users'? Or after that i've to re-set all ACLs on my
> LDAP object to have a non-'Domain Users' member to read LDAP data?
> 
> b) if i modify 'primaryGroupID: 513', considering that user nor group
>  have POSIX/rfc2307 data, could potentially brake something? On member
> server?
> 
> c) there's some way, apart ldbmodify, to modify primaryGroupID:?
> 
> 
> Thanks.
> 

Not sure what you are proposing is going to work, AD expects every user
to be a member of Domain Users, even though there is nothing in AD to
show membership. 
Do you require this user to visible on all domain machines ?
If windows works like winbind, then it probably won't be.

You can remove the 'mta' group easily by opening idmap.ldb in ldbedit,
find the object for 'mta' and then change the 'type' attribute from
'ID_TYPE_BOTH' to 'ID_TYPE_UID'

It might help if you could explain how you are going to use your new
user 'mta'

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba