[Samba] Restrict ldap queries on LDB
Rowland Penny
rpenny at samba.org
Wed Dec 22 15:01:55 UTC 2021
On Wed, 2021-12-22 at 14:13 +0000, Jon Gerdes via samba wrote:
> On Wed, 2021-12-22 at 04:23 -0300, Sergio Belkin via samba wrote:
> > Hi,
> > If I run something like :
> >
> > ldapsearch -b dc=EXAMPLE,dc=com -D
> > "CN=test,CN=Users,DC=example,DC=com" -ZZ
> > -LLL -H ldap://ldap.example.com -W
> >
> > I get almost everything of another users (test is an ordinary user)
> > for example that user could obtain fields such as:
> > dn,objectClass,objectClass,objectClass,objectClass,sn,instanceType,
> > whenCreated,uSNCreated,
> > company,objectGUID,badPwdCount,codePage,countryCode,badPasswordTime
> > ,
> > lastLogoff,primaryGroupID,objectSid,accountExpires,sAMAccountName,
> > sAMAccountType,userPrincipalName,objectCategory,mail,pwdLastSet,
> > userAccountControl,memberOf,cn,name,givenName,displayName,
> > lastLogonTimestamp,whenChanged,uSNChanged,lastLogon,logonCount,
> > distinguishedName,
> >
> > Please could you help me to restrict the queries, I'd want that
> > every
> > non-Administrator user can get only some attributes, but not
> > everything.
> > How can I do that using LDB, is that possible?
> > Thanks in advance!
> >
> > --
> > --
> > Sergio Belkin
> > LPIC-2 Certified - http://www.lpi.org
>
> Sergio
>
> By default, membership of "Domain Users", which is in turn a member
> of Builtin\Users grants quite a lot of permissions.
> That is why you see a lot of information. You can change the default
> ACLs in your domain but I really don't recommend
> it.
>
> A better way is to create a new account to test with and a new group
> which you put the test account in and remove it
> from domain users. Add ACLs to the group until you get what you
> need. Be sure to test absolutely everything - a pretty
> huge job! Now you can move your users into your new group in batches
> and remove them from Domain Users.
>
> Another way is to copy your Domain Users group to a new group and use
> that as a starting point. You then work in the
> opposite way by removing rights from the new group instead of adding
> them to a blank new group. This is still a pretty
> big job and will need a lot of testing.
>
> Windows works in mysterious ways and so does Samba so be careful when
> playing with security ACLs. Please document your
> changes and check your backups.
>
> Cheers
> Jon
Good luck with trying to stop your users searching AD, you could try as
above, but you should be aware that you can search AD using the
computers kerberos key.
Rowland
More information about the samba
mailing list