[Samba] Best practice for creating an RO LDAP User in AD...
Andrew Bartlett
abartlet at samba.org
Thu Nov 16 21:49:08 UTC 2017
On Thu, 2017-11-09 at 11:08 +0100, Marco Gaiarin via samba wrote:
> Mandi! L.P.H. van Belle via samba
> In chel di` si favelave...
>
> > I dont beleave it.
>
> Eh. «De gustibus non disputandum est». ;-)
>
>
> > The setup for the Ad in the link below is the same but if you want access without auth,
> > Have you tried to query the GC ports. ( 3268 or 3269 )
>
> No, but now yes and does not work:
Yes, GC is just as restricted as the normal ports, just read-only and
covering the full forest (if we had forest support, which we do not).
>
> > And read :
> > https://technet.microsoft.com/en-us/library/cc961563.aspx
> > That should work, havent tried it myself to be honist, dont use it..
>
> Interesting. But scare me a bit. In this way i can put in anonymous
> access also the password hashes?
I'm not sure what you mean here exactly, but do avoid anonymous access
if at all possible.
That said, passwords hashes are never exposed over LDAP.
> Really, AFAI've understoow well, the ACL in AD are a complex beast, and
> broke things, or make some restricted info available to all by
> mistakes, seems too easy...
>
>
> So, if i open ACL to 'Everyone', i've to set other ACL to restrict, eg,
> passwords?
A normal user would be able to read what you need, I wouldn't go about
changing the defaults.
Andrew Bartlett
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba
More information about the samba
mailing list