[Samba] Little strangeness on dns-* account...

L.P.H. van Belle belle at bazuin.nl
Wed Dec 19 09:43:46 UTC 2018 

The dns-COMPUTER-NAME "user" contains the dns/SPN so be very carefull here and dont remove this user. 

Normaly, you would have exected to have the DNS/spn on the serverObject in the AD. 
So imo yes, a small bug, but as Andrew told this is intended. 

Adding : isCriticalSystemObject: TRUE 
Should not be needed.

What i would do here is, use the description field. ( DNS Service Account for .... ) 
Filter out all "*Service Account*" 

Simple and easy to track and it changes nothing in the base..
You have more acconts to filter out, just add : Service Account in the description. 


Greetz, 

Louis




> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: woensdag 19 december 2018 9:40
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Little strangeness on dns-* account...
> 
> On Wed, 19 Dec 2018 09:26:07 +0100
> Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> 
> > Mandi! Andrew Bartlett via samba
> >   In chel di` si favelave...
> > 
> > > > > 	isCriticalSystemObject: TRUE
> > > > Not sure where that came from, both my dns-* users do not have
> > > > that line
> > > We probably should add it however.  ;-)
> > 
> > Can i safely add this?
> 
> You could, but it isn't a critical system object. In my view, to be a
> critical object, AD will not work with out it, but the 'dns-*' users
> are only required if you are using Bind9 and my AD DC's work very well
> without that line. There is also the problem (from my understanding)
> that if you do set the attribute, you will not be able to delete the
> user.
> 
> > 
> > 
> > > > No, it wouldn't be good idea to disable them, not if you want
> > > > BIND9_DLZ to work.
> > [...]
> > > For the list, this account is part of a small attempt to provide
> > > some measure of privilege separation between BIND9 and the rest of
> > > Samba's AD DC.  
> > 
> > Ok, thanks andrew and rowland, i supposed that.
> > 
> > 
> > PS: it is worth to fire up a bugreport?
> 
> Sorry, but I do not think so, unless you mean adding one for 'My dns-*
> user has become a system critical object 
> (isCriticalSystemObject: TRUE)'
> 
> Rowland
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list