[Samba] Little strangeness on dns-* account...
Rowland Penny
rpenny at samba.org
Wed Dec 19 10:29:03 UTC 2018
On Wed, 19 Dec 2018 10:43:46 +0100
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
>
> The dns-COMPUTER-NAME "user" contains the dns/SPN so be very carefull
> here and dont remove this user.
>
> Normaly, you would have exected to have the DNS/spn on the
> serverObject in the AD. So imo yes, a small bug, but as Andrew told
> this is intended.
>
> Adding : isCriticalSystemObject: TRUE
> Should not be needed.
>
> What i would do here is, use the description field. ( DNS Service
> Account for .... ) Filter out all "*Service Account*"
>
> Simple and easy to track and it changes nothing in the base..
> You have more acconts to filter out, just add : Service Account in
> the description.
>
>
Even easier than that ;-)
It's all in the filter:
ldbsearch -H /var/lib/samba/private/sam.ldb -b
'dc=samdom,dc=example,dc=com' -s sub
"(&(objectclass=user)(objectcategory=person)(!(objectclass=computer))(!(servicePrincipalName=DNS/*.$(hostname
-d))))" | grep '[n]ame'
The above is all one line and should be adapted for your ldap suffix.
Rowland
More information about the samba
mailing list