[Samba] Little strangeness on dns-* account...
Rowland Penny
rpenny at samba.org
Tue Dec 18 18:50:21 UTC 2018
On Tue, 18 Dec 2018 19:13:16 +0100
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
>
> I've setup a script that scan non-disabled user base, base query:
>
> (&(objectClass=user)(!(objectClass=computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
>
> and for every user i check the 'last password change' data value,
> doing some thing (eg, disabling it ;-) if it is too far.
>
> I've found that my script get also some 'dns-*' account; looking at
> data i've found that the account associated with the DC with FSMO
> roles (and the dc where i've firstly deployed the domain) have:
>
> isCriticalSystemObject: TRUE
Not sure where that came from, both my dns-* users do not have that line
>
> while all the other DC NO, so the query:
>
> (&(objectClass=user)(!(objectClass=computer))(!(isCriticalSystemObject=TRUE))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
>
> work as expected, but filter out only the dns-* account of the FSMO
> roles DC, not the other DC.
>
>
> Googling a bit seems that this attribute it is safer NOT to be
> changed.
>
>
> Supposing that disabling the dns-* account it is not a so good idea,
> how can i filter that account? Only by 'dns-*' name?
No, it wouldn't be good idea to disable them, not if you want
BIND9_DLZ to work.
You do not say what language you have written the script in (Bash,
Python, etc), but couldn't you add something like this (for bash):
if [ username starts with 'dns-' ]; then
goto next user
fi
Or whatever the script language uses.
Rowland
More information about the samba
mailing list