Web lists-archives.com

Re: [Samba] Little strangeness on dns-* account...




On Wed, 19 Dec 2018 09:26:07 +0100
Marco Gaiarin via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Mandi! Andrew Bartlett via samba
>   In chel di` si favelave...
> 
> > > > 	isCriticalSystemObject: TRUE
> > > Not sure where that came from, both my dns-* users do not have
> > > that line
> > We probably should add it however.  ;-)
> 
> Can i safely add this?

You could, but it isn't a critical system object. In my view, to be a
critical object, AD will not work with out it, but the 'dns-*' users
are only required if you are using Bind9 and my AD DC's work very well
without that line. There is also the problem (from my understanding)
that if you do set the attribute, you will not be able to delete the
user.

> 
> 
> > > No, it wouldn't be good idea to disable them, not if you want
> > > BIND9_DLZ to work.
> [...]
> > For the list, this account is part of a small attempt to provide
> > some measure of privilege separation between BIND9 and the rest of
> > Samba's AD DC.  
> 
> Ok, thanks andrew and rowland, i supposed that.
> 
> 
> PS: it is worth to fire up a bugreport?

Sorry, but I do not think so, unless you mean adding one for 'My dns-*
user has become a system critical object (isCriticalSystemObject: TRUE)'

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba