samba - Nov 2017 - Best practice for creating an RO LDAP User in AD...

I dont beleave it. 

That 5 years old now, normaly i'll dig into it, but exim...  I dropped exim
about 15 years ago..
First thing i do on debian... 
apt-get install --purge postfix 
That installs postfix and removes exim and purges exims config..  ;-) 

The setup for the Ad in the link below is the same but if you want access
without auth,
Have you tried to query the GC ports. ( 3268 or 3269 ) 
And read : 
https://technet.microsoft.com/en-us/library/cc961563.aspx 

That should work, havent tried it myself to be honist, dont use it.. 


Greetz, 
Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Marco Gaiarin via samba
> Verzonden: woensdag 8 november 2017 16:14
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Best practice for creating an RO LDAP 
> User in AD...
> 
> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
> 
> > Why don't you do what most people do, use kerberos. Create the
user
> > with a random password, set password to never expire, set the users
> > shell to /bin/false. Now set exim to use kerberos (don't 
> ask me how, I
> > don't use exim)
> 
> Seems not possible:
> 
> 	
> https://lists.exim.org/lurker/message/20120918.093204.bb65a97f.en.html
> 
> -- 
> dott. Marco Gaiarin				        GNUPG 
> Key ID: 240A3D66
>   Associazione ``La Nostra Famiglia''          
> http://www.lanostrafamiglia.it/
>   Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al 
> Tagliamento (PN)
>   marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   
> f +39-0434-842797
> 
> 		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
>       http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
> 	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Wed, 8 Nov 2017 17:07:15 +0100
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> I dont beleave it. 
> 
> That 5 years old now, normaly i'll dig into it, but exim...  I
> dropped exim about 15 years ago.. First thing i do on debian... 
> apt-get install --purge postfix 
> That installs postfix and removes exim and purges exims config..  ;-) 
> 
> The setup for the Ad in the link below is the same but if you want
> access without auth, Have you tried to query the GC ports. ( 3268 or
> 3269 ) And read : 
> https://technet.microsoft.com/en-us/library/cc961563.aspx 
> 
> That should work, havent tried it myself to be honist, dont use it.. 
> 
> 
To be honest, I would go with Postfix if I had to, but it has been
sometime since I had to set up a mailserver. You can use Dovecot with
Postfix and that definitely will work with kerberos.

Rowland

Mandi! L.P.H. van Belle via samba
  In chel di` si favelave...
> I dont beleave it. 
Eh. «De gustibus non disputandum est». ;-)

> The setup for the Ad in the link below is the same but if you want access
without auth,
> Have you tried to query the GC ports. ( 3268 or 3269 ) 
No, but now yes and does not work:

 gaio at albus:~$ ldapsearch -x -H ldap://vdcsv1:3268/ -b
DC=ad,DC=fvg,DC=lnf,DC=it "(uid=gaio)"
 # extended LDIF
 #
 # LDAPv3
 # base <DC=ad,DC=fvg,DC=lnf,DC=it> with scope subtree
 # filter: (uid=gaio)
 # requesting: ALL
 #
 
 # search result
 search: 2
 result: 1 Operations error
 text: 00002020: Operation unavailable without authentication
 
 # numResponses: 1
 gaio at albus:~$ ldapsearch -x -H ldaps://vdcsv1:3269/ -b
DC=ad,DC=fvg,DC=lnf,DC=it "(uid=gaio)"
 # extended LDIF
 #
 # LDAPv3
 # base <DC=ad,DC=fvg,DC=lnf,DC=it> with scope subtree
 # filter: (uid=gaio)
 # requesting: ALL
 #
 
 # search result
 search: 2
 result: 1 Operations error
 text: 00002020: Operation unavailable without authentication
 
 # numResponses: 1

> And read : 
> https://technet.microsoft.com/en-us/library/cc961563.aspx 
> That should work, havent tried it myself to be honist, dont use it.. 
Interesting. But scare me a bit. In this way i can put in anonymous
access also the password hashes?

Really, AFAI've understoow well, the ACL in AD are a complex beast, and
broke things, or make some restricted info available to all by
mistakes, seems too easy...


So, if i open ACL to 'Everyone', i've to set other ACL to restrict,
eg,
passwords?

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

On Thu, 9 Nov 2017 11:08:26 +0100
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> Mandi! L.P.H. van Belle via samba
>   In chel di` si favelave...
> 
> > I dont beleave it. 
> 
> Eh. «De gustibus non disputandum est». ;-)
> 
> 
> > The setup for the Ad in the link below is the same but if you want
> > access without auth, Have you tried to query the GC ports. ( 3268
> > or 3269 ) 
> 
> No, but now yes and does not work:
> 
>  gaio at albus:~$ ldapsearch -x -H ldap://vdcsv1:3268/ -b
> DC=ad,DC=fvg,DC=lnf,DC=it "(uid=gaio)" 
Try:

ldbsearch -H ldap://vdcsv1:3268 -P -b DC=ad,DC=fvg,DC=lnf,DC=it
'(uid=gaio)'

You will have to do this as root.

Rowland

On Thu, 2017-11-09 at 11:08 +0100, Marco Gaiarin via samba
wrote:
> Mandi! L.P.H. van Belle via samba
>   In chel di` si favelave...
> 
> > I dont beleave it. 
> 
> Eh. «De gustibus non disputandum est». ;-)
> 
> 
> > The setup for the Ad in the link below is the same but if you want
access without auth,
> > Have you tried to query the GC ports. ( 3268 or 3269 ) 
> 
> No, but now yes and does not work:
Yes, GC is just as restricted as the normal ports, just read-only and
covering the full forest (if we had forest support, which we do not). 
> 
> > And read : 
> > https://technet.microsoft.com/en-us/library/cc961563.aspx 
> > That should work, havent tried it myself to be honist, dont use it.. 
> 
> Interesting. But scare me a bit. In this way i can put in anonymous
> access also the password hashes?
I'm not sure what you mean here exactly, but do avoid anonymous access
if at all possible.

That said, passwords hashes are never exposed over LDAP.
> Really, AFAI've understoow well, the ACL in AD are a complex beast, and
> broke things, or make some restricted info available to all by
> mistakes, seems too easy...
> 
> 
> So, if i open ACL to 'Everyone', i've to set other ACL to
restrict, eg,
> passwords?
A normal user would be able to read what you need, I wouldn't go about
changing the defaults.

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba