use of a DNS cache in front of samba4 internal DNS

Marc Muehlfeld samba at
Wed Feb 13 14:25:12 MST 2013

Am 13.02.2013 21:25, schrieb David Mansfield:
> I have a few followup questions: do you know if this
> configuration can coexist with GSSAPI authentication? I'd like for users
> on the network to be able to single-sign-on (and outside users still
> require password), although given the cleanliness of your approach it
> may be worth sacrificing.  I especially like that there are no DNS
> changes, no winbind etc.

I think if you follow my HowTos, you'll loose the single-sign-on 
feature, because you will have no kerberos stuff, etc. in your DMZ.

I'm not a specialist on kerberos, etc. But I guess if you need this, 
then your mailserver requires to be able to connect to service(s) on 
your DC.

> Second question, when you have a "connect account" (e.g.
> cn=nslcd-connect,cn=Users,...), how should such an account be
> provisioned so that the privileges are as low as possible?

I just create a new normal user in ADUC (with password never expires!).

I haven't limited this account. It can see everything a authenticated 
user can see in the directory. It has to at least require access to a 
bunch of attributes like objectClass, uidNumber, cn, homeDirectory, etc.

Maybe use an LDAP client like JXplorer and connect with your new user to 
your ADC. Then you can easily see, if this account sees more more that 
you want and limit in ADUC. But be carefully and don't break existing 
permissions or your complete directory! :-)

Btw. you can also limit the permissions of this user on your openLDAP 
proxy with ACLs, too. But then you leave the risk that if somebody, who 
knows the password of this account, can connect to your AD directly from 
the host where the proxy is running on (because this host must be 
allowed to connect to the ldap port on your AD host, so that the proxy 
would work)


More information about the samba-technical mailing list