[Samba] Best practice for creating an RO LDAP User in AD...

Rowland Penny rpenny at samba.org
Wed Nov 8 09:54:42 UTC 2017


On Wed, 8 Nov 2017 09:49:42 +0100
Marco Gaiarin via samba <samba at lists.samba.org> wrote:

> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
> 
> > Not sure what you are proposing is going to work, AD expects every
> > user to be a member of Domain Users, even though there is nothing
> > in AD to show membership. 
> 
> Ah.
> 
> > Do you require this user to visible on all domain machines ?
> [...]
> > It might help if you could explain how you are going to use your new
> > user 'mta'
> 
> No. Probably quoting a message of a month ago does not help...
> 
> I simply need to have a/some LDAP access to do LDAP queries; this
> 'mta' examples, need to me to do email/aliases procesing in exim.
> 
> 
> Practically, users in 'Restricted' group does not need to logon nor to
> do anything on the domain, apart logging into the LDAP and do some
> ''generic'' queries.
> I set to users in that group a random/complex password and forgot
> about it, but i'm thinking of doing the 'right' things, lowering the
> account privileges to the minimum.
> 
> Probably is a generic 'Active Directory' question, not a specific
> Samba one, but... i've not found relevant info out there...
> 
> 
> Thanks.
> 

Why don't you do what most people do, use kerberos. Create the user
with a random password, set password to never expire, set the users
shell to /bin/false. Now set exim to use kerberos (don't ask me how, I
don't use exim)

Rowland



More information about the samba mailing list