Marco Gaiarin
2017-Nov-08 08:49 UTC
[Samba] Best practice for creating an RO LDAP User in AD...
Mandi! Rowland Penny via samba In chel di` si favelave...> Not sure what you are proposing is going to work, AD expects every user > to be a member of Domain Users, even though there is nothing in AD to > show membership.Ah.> Do you require this user to visible on all domain machines ?[...]> It might help if you could explain how you are going to use your new > user 'mta'No. Probably quoting a message of a month ago does not help... I simply need to have a/some LDAP access to do LDAP queries; this 'mta' examples, need to me to do email/aliases procesing in exim. Practically, users in 'Restricted' group does not need to logon nor to do anything on the domain, apart logging into the LDAP and do some ''generic'' queries. I set to users in that group a random/complex password and forgot about it, but i'm thinking of doing the 'right' things, lowering the account privileges to the minimum. Probably is a generic 'Active Directory' question, not a specific Samba one, but... i've not found relevant info out there... Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Rowland Penny
2017-Nov-08 09:54 UTC
[Samba] Best practice for creating an RO LDAP User in AD...
On Wed, 8 Nov 2017 09:49:42 +0100 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> Mandi! Rowland Penny via samba > In chel di` si favelave... > > > Not sure what you are proposing is going to work, AD expects every > > user to be a member of Domain Users, even though there is nothing > > in AD to show membership. > > Ah. > > > Do you require this user to visible on all domain machines ? > [...] > > It might help if you could explain how you are going to use your new > > user 'mta' > > No. Probably quoting a message of a month ago does not help... > > I simply need to have a/some LDAP access to do LDAP queries; this > 'mta' examples, need to me to do email/aliases procesing in exim. > > > Practically, users in 'Restricted' group does not need to logon nor to > do anything on the domain, apart logging into the LDAP and do some > ''generic'' queries. > I set to users in that group a random/complex password and forgot > about it, but i'm thinking of doing the 'right' things, lowering the > account privileges to the minimum. > > Probably is a generic 'Active Directory' question, not a specific > Samba one, but... i've not found relevant info out there... > > > Thanks. >Why don't you do what most people do, use kerberos. Create the user with a random password, set password to never expire, set the users shell to /bin/false. Now set exim to use kerberos (don't ask me how, I don't use exim) Rowland
Marco Gaiarin
2017-Nov-08 15:14 UTC
[Samba] Best practice for creating an RO LDAP User in AD...
Mandi! Rowland Penny via samba In chel di` si favelave...> Why don't you do what most people do, use kerberos. Create the user > with a random password, set password to never expire, set the users > shell to /bin/false. Now set exim to use kerberos (don't ask me how, I > don't use exim)Seems not possible: https://lists.exim.org/lurker/message/20120918.093204.bb65a97f.en.html -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
L.P.H. van Belle
2017-Nov-08 16:07 UTC
[Samba] Best practice for creating an RO LDAP User in AD...
I dont beleave it. That 5 years old now, normaly i'll dig into it, but exim... I dropped exim about 15 years ago.. First thing i do on debian... apt-get install --purge postfix That installs postfix and removes exim and purges exims config.. ;-) The setup for the Ad in the link below is the same but if you want access without auth, Have you tried to query the GC ports. ( 3268 or 3269 ) And read : https://technet.microsoft.com/en-us/library/cc961563.aspx That should work, havent tried it myself to be honist, dont use it.. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Marco Gaiarin via samba > Verzonden: woensdag 8 november 2017 16:14 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Best practice for creating an RO LDAP > User in AD... > > Mandi! Rowland Penny via samba > In chel di` si favelave... > > > Why don't you do what most people do, use kerberos. Create the user > > with a random password, set password to never expire, set the users > > shell to /bin/false. Now set exim to use kerberos (don't > ask me how, I > > don't use exim) > > Seems not possible: > > > https://lists.exim.org/lurker/message/20120918.093204.bb65a97f.en.html > > -- > dott. Marco Gaiarin GNUPG > Key ID: 240A3D66 > Associazione ``La Nostra Famiglia'' > http://www.lanostrafamiglia.it/ > Polo FVG - Via della Bontà, 7 - 33078 - San Vito al > Tagliamento (PN) > marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 > f +39-0434-842797 > > Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! > http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 > (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Jonathan Hunter
2017-Nov-09 08:27 UTC
[Samba] Best practice for creating an RO LDAP User in AD...
Hi Marco, On 8 November 2017 at 08:49, Marco Gaiarin via samba <samba at lists.samba.org> wrote:> Mandi! Rowland Penny via samba > In chel di` si favelave... > > > Not sure what you are proposing is going to work, AD expects every user > > to be a member of Domain Users, even though there is nothing in AD to > > show membership. > > [...] > I simply need to have a/some LDAP access to do LDAP queries; this 'mta' > examples, need to me to do email/aliases procesing in exim. >For what it's worth, I have done exactly this for an account I use in Apache for LDAP authentication, it sounds similar to your use case here. In my Apache config I have: AuthLDAPBindDN cn=apacheuser,cn=Users,dc=mydomain,dc=uk and I have just checked in AD, this user is a member of 'Domain Guests' and not 'Domain Users'. I think, if you are only doing LDAP searches and not using any "Windows style" functionality, then this will work just fine. Try it, and see? Worst case, you just need to change the membership back again :) -- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein
Marco Gaiarin
2017-Nov-09 10:10 UTC
[Samba] Best practice for creating an RO LDAP User in AD...
Mandi! Jonathan Hunter via samba In chel di` si favelave...> and I have just checked in AD, this user is a member of 'Domain Guests' and > not 'Domain Users'.Oh, good point! Never mind about 'Domain Guests'... but because i prefere su have that user in a specific group, probabli i can set that users member of my group, and my group member of 'Domain Guests'. I'll give id a try... -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)