use of a DNS cache in front of samba4 internal DNS
Marc Muehlfeld
samba at marc-muehlfeld.de
Wed Feb 13 14:25:12 MST 2013
Am 13.02.2013 21:25, schrieb David Mansfield:
> I have a few followup questions: do you know if this
> configuration can coexist with GSSAPI authentication? I'd like for users
> on the network to be able to single-sign-on (and outside users still
> require password), although given the cleanliness of your approach it
> may be worth sacrificing. I especially like that there are no DNS
> changes, no winbind etc.
I think if you follow my HowTos, you'll loose the single-sign-on
feature, because you will have no kerberos stuff, etc. in your DMZ.
I'm not a specialist on kerberos, etc. But I guess if you need this,
then your mailserver requires to be able to connect to service(s) on
your DC.
> Second question, when you have a "connect account" (e.g.
> cn=nslcd-connect,cn=Users,...), how should such an account be
> provisioned so that the privileges are as low as possible?
I just create a new normal user in ADUC (with password never expires!).
I haven't limited this account. It can see everything a authenticated
user can see in the directory. It has to at least require access to a
bunch of attributes like objectClass, uidNumber, cn, homeDirectory, etc.
Maybe use an LDAP client like JXplorer and connect with your new user to
your ADC. Then you can easily see, if this account sees more more that
you want and limit in ADUC. But be carefully and don't break existing
permissions or your complete directory! :-)
Btw. you can also limit the permissions of this user on your openLDAP
proxy with ACLs, too. But then you leave the risk that if somebody, who
knows the password of this account, can connect to your AD directly from
the host where the proxy is running on (because this host must be
allowed to connect to the ldap port on your AD host, so that the proxy
would work)
Regards,
Marc
More information about the samba-technical
mailing list