[Samba] Little strangeness on dns-* account...
L.P.H. van Belle
belle at bazuin.nl
Wed Dec 19 09:43:46 UTC 2018
The dns-COMPUTER-NAME "user" contains the dns/SPN so be very carefull here and dont remove this user.
Normaly, you would have exected to have the DNS/spn on the serverObject in the AD.
So imo yes, a small bug, but as Andrew told this is intended.
Adding : isCriticalSystemObject: TRUE
Should not be needed.
What i would do here is, use the description field. ( DNS Service Account for .... )
Filter out all "*Service Account*"
Simple and easy to track and it changes nothing in the base..
You have more acconts to filter out, just add : Service Account in the description.
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Rowland Penny via samba
> Verzonden: woensdag 19 december 2018 9:40
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Little strangeness on dns-* account...
> On Wed, 19 Dec 2018 09:26:07 +0100
> Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> > Mandi! Andrew Bartlett via samba
> > In chel di` si favelave...
> > > > > isCriticalSystemObject: TRUE
> > > > Not sure where that came from, both my dns-* users do not have
> > > > that line
> > > We probably should add it however. ;-)
> > Can i safely add this?
> You could, but it isn't a critical system object. In my view, to be a
> critical object, AD will not work with out it, but the 'dns-*' users
> are only required if you are using Bind9 and my AD DC's work very well
> without that line. There is also the problem (from my understanding)
> that if you do set the attribute, you will not be able to delete the
> > > > No, it wouldn't be good idea to disable them, not if you want
> > > > BIND9_DLZ to work.
> > [...]
> > > For the list, this account is part of a small attempt to provide
> > > some measure of privilege separation between BIND9 and the rest of
> > > Samba's AD DC.
> > Ok, thanks andrew and rowland, i supposed that.
> > PS: it is worth to fire up a bugreport?
> Sorry, but I do not think so, unless you mean adding one for 'My dns-*
> user has become a system critical object
> (isCriticalSystemObject: TRUE)'
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba