[Samba] Best practice for creating an RO LDAP User in AD...
Marco Gaiarin
gaio at sv.lnf.it
Tue Nov 7 18:24:10 UTC 2017
Mandi! Denis Cardon via samba
In chel di` si favelave...
> You can put your service accounts in an OU and add a GPO that deny
> logon/services/tasks locally.
Shortly come back.
I've created a 'Restricted' OU, a 'Restricted' group (i'm short in
fantasy, today ;) and i've created an 'mta' user, both user and group
in 'Restricted' OU, of course.
And i've added 'mta' to 'Restricted' group.
Clearly, in an DC, a xID get assigned to group:
root at vdcsv1:~# getent group Restricted
LNFFVG\restricted:x:3000026:
but by the same way 'mta' user get by default the 'Domain Users' group
(and others, seems):
root at vdcsv1:~# getent passwd mta
LNFFVG\mta:*:3000025:10513:MTA Restricted:/home/mta:/bin/bash
root at vdcsv1:~# id mta
uid=3000025(LNFFVG\mta) gid=10513(LNFFVG\domain users) gruppi=10513(LNFFVG\domain users),3000025(LNFFVG\mta),3000026(LNFFVG\restricted),3000009(BUILTIN\users)
Ok, some question:
a) it make sense to modify the 'primaryGroupID: 513' so 'mta' are not
member of 'Domain Users'? Or after that i've to re-set all ACLs on my
LDAP object to have a non-'Domain Users' member to read LDAP data?
b) if i modify 'primaryGroupID: 513', considering that user nor group
have POSIX/rfc2307 data, could potentially brake something? On member
server?
c) there's some way, apart ldbmodify, to modify primaryGroupID:?
Thanks.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
More information about the samba
mailing list