[Samba] Little strangeness on dns-* account...
Andrew Bartlett
abartlet at samba.org
Tue Dec 18 19:00:09 UTC 2018
On Tue, 2018-12-18 at 18:50 +0000, Rowland Penny via samba wrote:
> On Tue, 18 Dec 2018 19:13:16 +0100
> Marco Gaiarin via samba <samba at lists.samba.org> wrote:
>
> >
> >
> > I've setup a script that scan non-disabled user base, base query:
> >
> > (&(objectClass=user)(!(objectClass=computer))(!(userAccountCont
> > rol:1.2.840.113556.1.4.803:=2)))
> >
> > and for every user i check the 'last password change' data value,
> > doing some thing (eg, disabling it ;-) if it is too far.
> >
> > I've found that my script get also some 'dns-*' account; looking at
> > data i've found that the account associated with the DC with FSMO
> > roles (and the dc where i've firstly deployed the domain) have:
> >
> > isCriticalSystemObject: TRUE
> Not sure where that came from, both my dns-* users do not have that
> line
We probably should add it however. ;-)
> >
> >
> > while all the other DC NO, so the query:
> >
> > (&(objectClass=user)(!(objectClass=computer))(!(isCriticalSyste
> > mObject=TRUE))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
> >
> > work as expected, but filter out only the dns-* account of the FSMO
> > roles DC, not the other DC.
> >
> >
> > Googling a bit seems that this attribute it is safer NOT to be
> > changed.
> >
> >
> > Supposing that disabling the dns-* account it is not a so good
> > idea,
> > how can i filter that account? Only by 'dns-*' name?
> No, it wouldn't be good idea to disable them, not if you want
> BIND9_DLZ to work.
Yeah.
For the list, this account is part of a small attempt to provide some
measure of privilege separation between BIND9 and the rest of Samba's
AD DC.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list