[Samba] Internal DNS logging

Rowland Penny rowlandpenny241155 at gmail.com
Thu Nov 5 10:17:41 UTC 2015 

On 05/11/15 09:55, mathias dufresne wrote:
> Code is like books, or art (painting...). Some guy produce something, as he
> likes, some others use/watch/listen it, as they like. Most of the time
> these two ways are different.
>
> What I mean is it is not because something was not developed to be used in
> some way that way of usage is not a good way of usage.
>
> Perhaps for most of us this is not the right way the OP want to do. Anyway
> it is his way. Who are we to tell what he's doing should not be? I thought
> opensource was more open than the other world.

Samba4 initially used the bind9 flat files way of running, but it didn't 
and couldn't be made to work as an AD DC expects. This is why Samba4 
moved to dlz, a lot needed to be done to get this to work, but it does 
work as expected, ok there are a few minor problems, but I am sure these 
will be fixed in time. I am not saying that the OP cannot use 
flat-files, just that he is on his own there.

>
> Same thing but about SSSD: I was thinking providing to my client same
> behaviour for Linux systems as on Windows systems about local
> administrators of computers (clients). On Windows you can define groups and
> using GPO put some group(s) in client's local "administrators" group. There
> you have people able to manage clients systems without any rights on AD.
> This can be done using LDAP tree and user accounts with UID = 0. SSSD comes
> also with filters to avoid peoples with UID=0 which have no right to
> connect on some systems can connect on these refused systems.
> So I had all I wanted to give my client same way of managing all their
> systems with nominative accounts, to be able to trace a little bit what
> admins do.
> This is not possible because SSSD refuses (hardcoded...) users with UID=0
> to connect on SSSD systems. I was told this is for security reason: SSSD
> through LDAP can, under certain configuration, grant man in the middle
> attack (or something like that).
> The fact is using AD servers are also authenticated, this security reason
> disappear. Not the refusal because devs think what they thought is the only
> to think. I don't.

That is (in my opinion) a stupid way of doing things, every user with 
the UID of 0 raises the potential for an attack, if you want to do this, 
use sudo instead and yes sssd, AD and sudo will play nicely together.

Just because you think something is a good idea doesn't mean it is, but 
nobody is stopping *you* doing things your way, just don't expect 
sympathy if things go wrong.

Rowland
>
>

More information about the samba mailing list