[Samba] Best practice for creating an RO LDAP User in AD...

Rowland Penny rpenny at samba.org
Tue Nov 7 18:57:00 UTC 2017


On Tue, 7 Nov 2017 19:24:10 +0100
Marco Gaiarin via samba <samba at lists.samba.org> wrote:

> Mandi! Denis Cardon via samba
>   In chel di` si favelave...
> 
> > You can put your service accounts in an OU and add a GPO that deny
> > logon/services/tasks locally.
> 
> Shortly come back.
> 
> I've created a 'Restricted' OU, a 'Restricted' group (i'm short in
> fantasy, today ;) and i've created an 'mta' user, both user and group
> in 'Restricted' OU, of course.
> And i've added 'mta' to 'Restricted' group.
> 
> Clearly, in an DC, a xID get assigned to group:
> 
> 	root at vdcsv1:~# getent group Restricted
> 	LNFFVG\restricted:x:3000026:
> 
> but by the same way 'mta' user get by default the 'Domain Users' group
> (and others, seems):
> 
> 	root at vdcsv1:~# getent passwd mta
> 	LNFFVG\mta:*:3000025:10513:MTA Restricted:/home/mta:/bin/bash
> 	root at vdcsv1:~# id mta
> 	uid=3000025(LNFFVG\mta) gid=10513(LNFFVG\domain users)
> gruppi=10513(LNFFVG\domain
> users),3000025(LNFFVG\mta),3000026(LNFFVG\restricted),3000009(BUILTIN\users)
> 
> Ok, some question:
> 
> a) it make sense to modify the 'primaryGroupID: 513' so 'mta' are not
>  member of 'Domain Users'? Or after that i've to re-set all ACLs on my
> LDAP object to have a non-'Domain Users' member to read LDAP data?
> 
> b) if i modify 'primaryGroupID: 513', considering that user nor group
>  have POSIX/rfc2307 data, could potentially brake something? On member
> server?
> 
> c) there's some way, apart ldbmodify, to modify primaryGroupID:?
> 
> 
> Thanks.
> 

Not sure what you are proposing is going to work, AD expects every user
to be a member of Domain Users, even though there is nothing in AD to
show membership. 
Do you require this user to visible on all domain machines ?
If windows works like winbind, then it probably won't be.

You can remove the 'mta' group easily by opening idmap.ldb in ldbedit,
find the object for 'mta' and then change the 'type' attribute from
'ID_TYPE_BOTH' to 'ID_TYPE_UID'

It might help if you could explain how you are going to use your new
user 'mta'

Rowland



More information about the samba mailing list