[Samba] Using AD machine account for ldap queries

Nick t31 at 2thebatcave.com
Sun Sep 20 19:45:50 MDT 2009

Has anyone thus far used the machine account to perform ldap queries
to the active directory ldap server?  Essentially what I am trying to
do is have some cron scripts perform ldap queries to the AD server to
get things like account status and such.  I realize that technically
the AD server can be setup to allow anonymous ldap queries, or a
separate service account could be used.  However due to security
policy constraints in our environment, neither of these can be done.

Therefore what I am trying to do is get ldapsearch or similar to use
the machine account.  I'm guessing the simplest approach would be to
find a way to extract the machine account name and password from
whatever samba database holds it, then pass that directly into
ldapsearch.  Ideally I would just use some sort of samba built-in
utility (to avoid needing to pass the password in via insecure command
line args or environment variables that can potentially be read by
other users on the system), however I can't seem to find anything in
the samba suite that performs that function.


More information about the samba mailing list