[Samba] Using AD machine account for ldap queries
Nick
t31 at 2thebatcave.com
Sat Sep 26 10:12:01 MDT 2009
I finally figured it out and thought I would post back just in case
anyone else cared:
There are actually 2 ways of doing this, probably the easiest is doing
something like:
"net ads search -P '(objectCategory=group)' sAMAccountName"
Another way is generating a keytab using "net ads keytab create" which
should make a MACHINE$@DOMAIN entry in the keytab, after which you can
do:
kinit -k 'MACHINE$@DOMAIN', and then:
ldapsearch -H ldap://domain-controller.domain -b "dc=domain"
'(sAMAccountName=MACHINE$)'
ldapsearch in this case would need to be using SASL and have SASL
GSSAPI support enabled.
On Sun, Sep 20, 2009 at 6:45 PM, Nick <t31 at 2thebatcave.com> wrote:
> Has anyone thus far used the machine account to perform ldap queries
> to the active directory ldap server? Essentially what I am trying to
> do is have some cron scripts perform ldap queries to the AD server to
> get things like account status and such. I realize that technically
> the AD server can be setup to allow anonymous ldap queries, or a
> separate service account could be used. However due to security
> policy constraints in our environment, neither of these can be done.
>
> Therefore what I am trying to do is get ldapsearch or similar to use
> the machine account. I'm guessing the simplest approach would be to
> find a way to extract the machine account name and password from
> whatever samba database holds it, then pass that directly into
> ldapsearch. Ideally I would just use some sort of samba built-in
> utility (to avoid needing to pass the password in via insecure command
> line args or environment variables that can potentially be read by
> other users on the system), however I can't seem to find anything in
> the samba suite that performs that function.
>
> Ideas?
>
More information about the samba
mailing list