[Samba] Using AD machine account for ldap queries

Nick t31 at 2thebatcave.com
Sat Sep 26 10:12:01 MDT 2009


I finally figured it out and thought I would post back just in case
anyone else cared:

There are actually 2 ways of doing this, probably the easiest is doing
something like:

"net ads search -P '(objectCategory=group)' sAMAccountName"

Another way is generating a keytab using "net ads keytab create" which
should make a MACHINE$@DOMAIN entry in the keytab, after which you can
do:

 kinit -k 'MACHINE$@DOMAIN', and then:

ldapsearch -H ldap://domain-controller.domain -b "dc=domain"
'(sAMAccountName=MACHINE$)'

ldapsearch in this case would need to be using SASL and have SASL
GSSAPI support enabled.


On Sun, Sep 20, 2009 at 6:45 PM, Nick <t31 at 2thebatcave.com> wrote:
> Has anyone thus far used the machine account to perform ldap queries
> to the active directory ldap server?  Essentially what I am trying to
> do is have some cron scripts perform ldap queries to the AD server to
> get things like account status and such.  I realize that technically
> the AD server can be setup to allow anonymous ldap queries, or a
> separate service account could be used.  However due to security
> policy constraints in our environment, neither of these can be done.
>
> Therefore what I am trying to do is get ldapsearch or similar to use
> the machine account.  I'm guessing the simplest approach would be to
> find a way to extract the machine account name and password from
> whatever samba database holds it, then pass that directly into
> ldapsearch.  Ideally I would just use some sort of samba built-in
> utility (to avoid needing to pass the password in via insecure command
> line args or environment variables that can potentially be read by
> other users on the system), however I can't seem to find anything in
> the samba suite that performs that function.
>
> Ideas?
>


More information about the samba mailing list