On Tue, 2018-12-18 at 18:50 +0000, Rowland Penny via samba wrote:> On Tue, 18 Dec 2018 19:13:16 +0100 > Marco Gaiarin via samba <samba at lists.samba.org> wrote: > > > > > > > I've setup a script that scan non-disabled user base, base query: > > > > (&(objectClass=user)(!(objectClass=computer))(!(userAccountCont > > rol:1.2.840.113556.1.4.803:=2))) > > > > and for every user i check the 'last password change' data value, > > doing some thing (eg, disabling it ;-) if it is too far. > > > > I've found that my script get also some 'dns-*' account; looking at > > data i've found that the account associated with the DC with FSMO > > roles (and the dc where i've firstly deployed the domain) have: > > > > isCriticalSystemObject: TRUE > Not sure where that came from, both my dns-* users do not have that > lineWe probably should add it however. ;-)> > > > > > while all the other DC NO, so the query: > > > > (&(objectClass=user)(!(objectClass=computer))(!(isCriticalSyste > > mObject=TRUE))(!(userAccountControl:1.2.840.113556.1.4.803:=2))) > > > > work as expected, but filter out only the dns-* account of the FSMO > > roles DC, not the other DC. > > > > > > Googling a bit seems that this attribute it is safer NOT to be > > changed. > > > > > > Supposing that disabling the dns-* account it is not a so good > > idea, > > how can i filter that account? Only by 'dns-*' name? > No, it wouldn't be good idea to disable them, not if you want > BIND9_DLZ to work.Yeah. For the list, this account is part of a small attempt to provide some measure of privilege separation between BIND9 and the rest of Samba's AD DC. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Mandi! Andrew Bartlett via samba In chel di` si favelave...> > > isCriticalSystemObject: TRUE > > Not sure where that came from, both my dns-* users do not have that > > line > We probably should add it however. ;-)Can i safely add this?> > No, it wouldn't be good idea to disable them, not if you want > > BIND9_DLZ to work.[...]> For the list, this account is part of a small attempt to provide some > measure of privilege separation between BIND9 and the rest of Samba's > AD DC.Ok, thanks andrew and rowland, i supposed that. PS: it is worth to fire up a bugreport? -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
On Wed, 19 Dec 2018 09:26:07 +0100 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> Mandi! Andrew Bartlett via samba > In chel di` si favelave... > > > > > isCriticalSystemObject: TRUE > > > Not sure where that came from, both my dns-* users do not have > > > that line > > We probably should add it however. ;-) > > Can i safely add this?You could, but it isn't a critical system object. In my view, to be a critical object, AD will not work with out it, but the 'dns-*' users are only required if you are using Bind9 and my AD DC's work very well without that line. There is also the problem (from my understanding) that if you do set the attribute, you will not be able to delete the user.> > > > > No, it wouldn't be good idea to disable them, not if you want > > > BIND9_DLZ to work. > [...] > > For the list, this account is part of a small attempt to provide > > some measure of privilege separation between BIND9 and the rest of > > Samba's AD DC. > > Ok, thanks andrew and rowland, i supposed that. > > > PS: it is worth to fire up a bugreport?Sorry, but I do not think so, unless you mean adding one for 'My dns-* user has become a system critical object (isCriticalSystemObject: TRUE)' Rowland
The dns-COMPUTER-NAME "user" contains the dns/SPN so be very carefull here and dont remove this user. Normaly, you would have exected to have the DNS/spn on the serverObject in the AD. So imo yes, a small bug, but as Andrew told this is intended. Adding : isCriticalSystemObject: TRUE Should not be needed. What i would do here is, use the description field. ( DNS Service Account for .... ) Filter out all "*Service Account*" Simple and easy to track and it changes nothing in the base.. You have more acconts to filter out, just add : Service Account in the description. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland Penny via samba > Verzonden: woensdag 19 december 2018 9:40 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Little strangeness on dns-* account... > > On Wed, 19 Dec 2018 09:26:07 +0100 > Marco Gaiarin via samba <samba at lists.samba.org> wrote: > > > Mandi! Andrew Bartlett via samba > > In chel di` si favelave... > > > > > > > isCriticalSystemObject: TRUE > > > > Not sure where that came from, both my dns-* users do not have > > > > that line > > > We probably should add it however. ;-) > > > > Can i safely add this? > > You could, but it isn't a critical system object. In my view, to be a > critical object, AD will not work with out it, but the 'dns-*' users > are only required if you are using Bind9 and my AD DC's work very well > without that line. There is also the problem (from my understanding) > that if you do set the attribute, you will not be able to delete the > user. > > > > > > > > > No, it wouldn't be good idea to disable them, not if you want > > > > BIND9_DLZ to work. > > [...] > > > For the list, this account is part of a small attempt to provide > > > some measure of privilege separation between BIND9 and the rest of > > > Samba's AD DC. > > > > Ok, thanks andrew and rowland, i supposed that. > > > > > > PS: it is worth to fire up a bugreport? > > Sorry, but I do not think so, unless you mean adding one for 'My dns-* > user has become a system critical object > (isCriticalSystemObject: TRUE)' > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >