Web lists-archives.com

Re: [Samba] Little strangeness on dns-* account...




On Tue, 2018-12-18 at 18:50 +0000, Rowland Penny via samba wrote:
> On Tue, 18 Dec 2018 19:13:16 +0100
> Marco Gaiarin via samba <samba@xxxxxxxxxxxxxxx> wrote:
> 
> > 
> > 
> > I've setup a script that scan non-disabled user base, base query:
> > 
> > 	(&(objectClass=user)(!(objectClass=computer))(!(userAccountCont
> > rol:1.2.840.113556.1.4.803:=2)))
> > 
> > and for every user i check the 'last password change' data value,
> > doing some thing (eg, disabling it ;-) if it is too far.
> > 
> > I've found that my script get also some 'dns-*' account; looking at
> > data i've found that the account associated with the DC with FSMO
> > roles (and the dc where i've firstly deployed the domain) have:
> > 
> > 	isCriticalSystemObject: TRUE
> Not sure where that came from, both my dns-* users do not have that
> line

We probably should add it however.  ;-)

> > 
> > 
> > while all the other DC NO, so the query:
> > 
> > 	(&(objectClass=user)(!(objectClass=computer))(!(isCriticalSyste
> > mObject=TRUE))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
> > 
> > work as expected, but filter out only the dns-* account of the FSMO
> > roles DC, not the other DC.
> > 
> > 
> > Googling a bit seems that this attribute it is safer NOT to be
> > changed.
> > 
> > 
> > Supposing that disabling the dns-* account it is not a so good
> > idea,
> > how can i filter that account? Only by 'dns-*' name?
> No, it wouldn't be good idea to disable them, not if you want
> BIND9_DLZ to work.

Yeah.  

For the list, this account is part of a small attempt to provide some
measure of privilege separation between BIND9 and the rest of Samba's
AD DC.  

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba