L.P.H. van Belle
2017-Nov-08 16:07 UTC
[Samba] Best practice for creating an RO LDAP User in AD...
I dont beleave it. That 5 years old now, normaly i'll dig into it, but exim... I dropped exim about 15 years ago.. First thing i do on debian... apt-get install --purge postfix That installs postfix and removes exim and purges exims config.. ;-) The setup for the Ad in the link below is the same but if you want access without auth, Have you tried to query the GC ports. ( 3268 or 3269 ) And read : technet.microsoft.com/en-us/library/cc961563.aspx That should work, havent tried it myself to be honist, dont use it.. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Marco Gaiarin via samba > Verzonden: woensdag 8 november 2017 16:14 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Best practice for creating an RO LDAP > User in AD... > > Mandi! Rowland Penny via samba > In chel di` si favelave... > > > Why don't you do what most people do, use kerberos. Create the user > > with a random password, set password to never expire, set the users > > shell to /bin/false. Now set exim to use kerberos (don't > ask me how, I > > don't use exim) > > Seems not possible: > > > lists.exim.org/lurker/message/20120918.093204.bb65a97f.en.html > > -- > dott. Marco Gaiarin GNUPG > Key ID: 240A3D66 > Associazione ``La Nostra Famiglia'' > lanostrafamiglia.it > Polo FVG - Via della Bontà, 7 - 33078 - San Vito al > Tagliamento (PN) > marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 > f +39-0434-842797 > > Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! > lanostrafamiglia.it/index.php/it/sostienici/5x1000 > (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) > > -- > To unsubscribe from this list go to the following URL and read the > instructions: lists.samba.org/mailman/options/samba >
Rowland Penny
2017-Nov-08 16:23 UTC
[Samba] Best practice for creating an RO LDAP User in AD...
On Wed, 8 Nov 2017 17:07:15 +0100 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> I dont beleave it. > > That 5 years old now, normaly i'll dig into it, but exim... I > dropped exim about 15 years ago.. First thing i do on debian... > apt-get install --purge postfix > That installs postfix and removes exim and purges exims config.. ;-) > > The setup for the Ad in the link below is the same but if you want > access without auth, Have you tried to query the GC ports. ( 3268 or > 3269 ) And read : > technet.microsoft.com/en-us/library/cc961563.aspx > > That should work, havent tried it myself to be honist, dont use it.. > >To be honest, I would go with Postfix if I had to, but it has been sometime since I had to set up a mailserver. You can use Dovecot with Postfix and that definitely will work with kerberos. Rowland
Marco Gaiarin
2017-Nov-09 10:08 UTC
[Samba] Best practice for creating an RO LDAP User in AD...
Mandi! L.P.H. van Belle via samba In chel di` si favelave...> I dont beleave it.Eh. «De gustibus non disputandum est». ;-)> The setup for the Ad in the link below is the same but if you want access without auth, > Have you tried to query the GC ports. ( 3268 or 3269 )No, but now yes and does not work: gaio at albus:~$ ldapsearch -x -H ldap://vdcsv1:3268 -b DC=ad,DC=fvg,DC=lnf,DC=it "(uid=gaio)" # extended LDIF # # LDAPv3 # base <DC=ad,DC=fvg,DC=lnf,DC=it> with scope subtree # filter: (uid=gaio) # requesting: ALL # # search result search: 2 result: 1 Operations error text: 00002020: Operation unavailable without authentication # numResponses: 1 gaio at albus:~$ ldapsearch -x -H ldaps://vdcsv1:3269 -b DC=ad,DC=fvg,DC=lnf,DC=it "(uid=gaio)" # extended LDIF # # LDAPv3 # base <DC=ad,DC=fvg,DC=lnf,DC=it> with scope subtree # filter: (uid=gaio) # requesting: ALL # # search result search: 2 result: 1 Operations error text: 00002020: Operation unavailable without authentication # numResponses: 1> And read : > technet.microsoft.com/en-us/library/cc961563.aspx > That should work, havent tried it myself to be honist, dont use it..Interesting. But scare me a bit. In this way i can put in anonymous access also the password hashes? Really, AFAI've understoow well, the ACL in AD are a complex beast, and broke things, or make some restricted info available to all by mistakes, seems too easy... So, if i open ACL to 'Everyone', i've to set other ACL to restrict, eg, passwords? -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' lanostrafamiglia.it Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Rowland Penny
2017-Nov-09 11:25 UTC
[Samba] Best practice for creating an RO LDAP User in AD...
On Thu, 9 Nov 2017 11:08:26 +0100 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> Mandi! L.P.H. van Belle via samba > In chel di` si favelave... > > > I dont beleave it. > > Eh. «De gustibus non disputandum est». ;-) > > > > The setup for the Ad in the link below is the same but if you want > > access without auth, Have you tried to query the GC ports. ( 3268 > > or 3269 ) > > No, but now yes and does not work: > > gaio at albus:~$ ldapsearch -x -H ldap://vdcsv1:3268 -b > DC=ad,DC=fvg,DC=lnf,DC=it "(uid=gaio)"Try: ldbsearch -H ldap://vdcsv1:3268 -P -b DC=ad,DC=fvg,DC=lnf,DC=it '(uid=gaio)' You will have to do this as root. Rowland
Andrew Bartlett
2017-Nov-16 21:49 UTC
[Samba] Best practice for creating an RO LDAP User in AD...
On Thu, 2017-11-09 at 11:08 +0100, Marco Gaiarin via samba wrote:> Mandi! L.P.H. van Belle via samba > In chel di` si favelave... > > > I dont beleave it. > > Eh. «De gustibus non disputandum est». ;-) > > > > The setup for the Ad in the link below is the same but if you want access without auth, > > Have you tried to query the GC ports. ( 3268 or 3269 ) > > No, but now yes and does not work:Yes, GC is just as restricted as the normal ports, just read-only and covering the full forest (if we had forest support, which we do not).> > > And read : > > technet.microsoft.com/en-us/library/cc961563.aspx > > That should work, havent tried it myself to be honist, dont use it.. > > Interesting. But scare me a bit. In this way i can put in anonymous > access also the password hashes?I'm not sure what you mean here exactly, but do avoid anonymous access if at all possible. That said, passwords hashes are never exposed over LDAP.> Really, AFAI've understoow well, the ACL in AD are a complex beast, and > broke things, or make some restricted info available to all by > mistakes, seems too easy... > > > So, if i open ACL to 'Everyone', i've to set other ACL to restrict, eg, > passwords?A normal user would be able to read what you need, I wouldn't go about changing the defaults. Andrew Bartlett -- Andrew Bartlett samba.org/~abartlet Authentication Developer, Samba Team samba.org Samba Development and Support, Catalyst IT catalyst.net.nz/services/samba