samba - Oct 2017 - Best practice for creating an RO LDAP User in AD...

Caming from Samba in NT mode with OpenLDAP backend i've created a bunch
of ''things'' (apps, web tools, ...; but also printers and so
on) that
rely on reading ''public'' data in LDAP.

With OpenLDAP ''public'' was a easy concept: anonymous access
was
the default, and ACL protect more sensitive data (mostly, passwords).


Now i've to redo some of these things in AD. I don't need to enable
public access (if possible...), so i think the better path would be
creating a ''unprivileged user'' (with no POSIX data, eg GID/UID
that
are not needed) with a complex password.


There's are some ''best practice'' for that?

I'm thinking about:

a) create the user in a specific OU

b) put it in 'Domain Guests' group (or it is better to create a
  specific group also?)

c) set the account 'never expire' ('X') flag.


Some other hint? For example, there's some way to disable logon for the
user, but have LDAP auth work as expected?


Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

Hi Marco,
> Caming from Samba in NT mode with OpenLDAP backend i've created a bunch
> of ''things'' (apps, web tools, ...; but also printers and
so on) that
> rely on reading ''public'' data in LDAP.
>
> With OpenLDAP ''public'' was a easy concept: anonymous
access was
> the default, and ACL protect more sensitive data (mostly, passwords).
>
>
> Now i've to redo some of these things in AD. I don't need to enable
> public access (if possible...), so i think the better path would be
> creating a ''unprivileged user'' (with no POSIX data, eg
GID/UID that
> are not needed) with a complex password.
>
>
> There's are some ''best practice'' for that?
>
> I'm thinking about:
>
> a) create the user in a specific OU
>
> b) put it in 'Domain Guests' group (or it is better to create a
>   specific group also?)
>
> c) set the account 'never expire' ('X') flag.
>
>
> Some other hint? For example, there's some way to disable logon for the
> user, but have LDAP auth work as expected?
You can put your service accounts in an OU and add a GPO that deny 
logon/services/tasks locally.

If you are using those account on a windows computer, you could use 
managed account [1] (I haven't tried it yet).

Cheers,

Denis

[1] https://technet.microsoft.com/en-us/library/dd548356(v=ws.10).aspx
>
>
> Thanks.
>
-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr

Mandi! Denis Cardon via samba
  In chel di` si favelave...

Sorry, i came back on that a bit later...
> >Some other hint? For example, there's some way to disable logon for
the
> >user, but have LDAP auth work as expected?
> You can put your service accounts in an OU and add a GPO that deny
> logon/services/tasks locally.
I've tried to google around a bit but i'm a bit confused. The thing
that seems to me what you are saying is:

	https://4sysops.com/archives/deny-and-allow-workstation-logons-with-group-policy/

right?

> If you are using those account on a windows computer, you could use managed
> account [1] (I haven't tried it yet).
> [1] https://technet.microsoft.com/en-us/library/dd548356(v=ws.10).aspx
I'll keep for a future read. Thanks!

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

Mandi! Denis Cardon via samba
  In chel di` si favelave...
> You can put your service accounts in an OU and add a GPO that deny
> logon/services/tasks locally.
Shortly come back.

I've created a 'Restricted' OU, a 'Restricted' group
(i'm short in
fantasy, today ;) and i've created an 'mta' user, both user and
group
in 'Restricted' OU, of course.
And i've added 'mta' to 'Restricted' group.

Clearly, in an DC, a xID get assigned to group:

	root at vdcsv1:~# getent group Restricted
	LNFFVG\restricted:x:3000026:

but by the same way 'mta' user get by default the 'Domain Users'
group
(and others, seems):

	root at vdcsv1:~# getent passwd mta
	LNFFVG\mta:*:3000025:10513:MTA Restricted:/home/mta:/bin/bash
	root at vdcsv1:~# id mta
	uid=3000025(LNFFVG\mta) gid=10513(LNFFVG\domain users)
gruppi=10513(LNFFVG\domain
users),3000025(LNFFVG\mta),3000026(LNFFVG\restricted),3000009(BUILTIN\users)

Ok, some question:

a) it make sense to modify the 'primaryGroupID: 513' so 'mta'
are not
 member of 'Domain Users'? Or after that i've to re-set all ACLs on
my
LDAP object to have a non-'Domain Users' member to read LDAP data?

b) if i modify 'primaryGroupID: 513', considering that user nor group
 have POSIX/rfc2307 data, could potentially brake something? On member
server?

c) there's some way, apart ldbmodify, to modify primaryGroupID:?


Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)