Re: [Samba] Little strangeness on dns-* account...
- Date: Wed, 19 Dec 2018 08:00:09 +1300
- From: Andrew Bartlett via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Little strangeness on dns-* account...
On Tue, 2018-12-18 at 18:50 +0000, Rowland Penny via samba wrote:
> On Tue, 18 Dec 2018 19:13:16 +0100
> Marco Gaiarin via samba <samba@xxxxxxxxxxxxxxx> wrote:
> > I've setup a script that scan non-disabled user base, base query:
> > (&(objectClass=user)(!(objectClass=computer))(!(userAccountCont
> > rol:1.2.840.1135126.96.36.1993:=2)))
> > and for every user i check the 'last password change' data value,
> > doing some thing (eg, disabling it ;-) if it is too far.
> > I've found that my script get also some 'dns-*' account; looking at
> > data i've found that the account associated with the DC with FSMO
> > roles (and the dc where i've firstly deployed the domain) have:
> > isCriticalSystemObject: TRUE
> Not sure where that came from, both my dns-* users do not have that
We probably should add it however. ;-)
> > while all the other DC NO, so the query:
> > (&(objectClass=user)(!(objectClass=computer))(!(isCriticalSyste
> > mObject=TRUE))(!(userAccountControl:1.2.840.1135188.8.131.523:=2)))
> > work as expected, but filter out only the dns-* account of the FSMO
> > roles DC, not the other DC.
> > Googling a bit seems that this attribute it is safer NOT to be
> > changed.
> > Supposing that disabling the dns-* account it is not a so good
> > idea,
> > how can i filter that account? Only by 'dns-*' name?
> No, it wouldn't be good idea to disable them, not if you want
> BIND9_DLZ to work.
For the list, this account is part of a small attempt to provide some
measure of privilege separation between BIND9 and the rest of Samba's
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
To unsubscribe from this list go to the following URL and read the