[Samba] Little strangeness on dns-* account...

Rowland Penny rpenny at samba.org
Tue Dec 18 18:50:21 UTC 2018

On Tue, 18 Dec 2018 19:13:16 +0100
Marco Gaiarin via samba <samba at lists.samba.org> wrote:

> I've setup a script that scan non-disabled user base, base query:
> 	(&(objectClass=user)(!(objectClass=computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
> and for every user i check the 'last password change' data value,
> doing some thing (eg, disabling it ;-) if it is too far.
> I've found that my script get also some 'dns-*' account; looking at
> data i've found that the account associated with the DC with FSMO
> roles (and the dc where i've firstly deployed the domain) have:
> 	isCriticalSystemObject: TRUE

Not sure where that came from, both my dns-* users do not have that line

> while all the other DC NO, so the query:
> 	(&(objectClass=user)(!(objectClass=computer))(!(isCriticalSystemObject=TRUE))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
> work as expected, but filter out only the dns-* account of the FSMO
> roles DC, not the other DC.
> Googling a bit seems that this attribute it is safer NOT to be
> changed.
> Supposing that disabling the dns-* account it is not a so good idea,
> how can i filter that account? Only by 'dns-*' name?

No, it wouldn't be good idea to disable them, not if you want
BIND9_DLZ to work.

You do not say what language you have written the script in (Bash,
Python, etc), but couldn't you add something like this (for bash):

if [ username starts with 'dns-' ]; then
    goto next user
Or whatever the script language uses.


More information about the samba mailing list