[Samba] Little strangeness on dns-* account...

Rowland Penny rpenny at samba.org
Wed Dec 19 08:40:05 UTC 2018

On Wed, 19 Dec 2018 09:26:07 +0100
Marco Gaiarin via samba <samba at lists.samba.org> wrote:

> Mandi! Andrew Bartlett via samba
>   In chel di` si favelave...
> > > > 	isCriticalSystemObject: TRUE
> > > Not sure where that came from, both my dns-* users do not have
> > > that line
> > We probably should add it however.  ;-)
> Can i safely add this?

You could, but it isn't a critical system object. In my view, to be a
critical object, AD will not work with out it, but the 'dns-*' users
are only required if you are using Bind9 and my AD DC's work very well
without that line. There is also the problem (from my understanding)
that if you do set the attribute, you will not be able to delete the

> > > No, it wouldn't be good idea to disable them, not if you want
> > > BIND9_DLZ to work.
> [...]
> > For the list, this account is part of a small attempt to provide
> > some measure of privilege separation between BIND9 and the rest of
> > Samba's AD DC.  
> Ok, thanks andrew and rowland, i supposed that.
> PS: it is worth to fire up a bugreport?

Sorry, but I do not think so, unless you mean adding one for 'My dns-*
user has become a system critical object (isCriticalSystemObject: TRUE)'


More information about the samba mailing list