I finally figured it out and thought I would post back just in case anyone else cared:
There are actually 2 ways of doing this, probably the easiest is doing something like: "net ads search -P '(objectCategory=group)' sAMAccountName" Another way is generating a keytab using "net ads keytab create" which should make a machi...@domain entry in the keytab, after which you can do: kinit -k 'machi...@domain', and then: ldapsearch -H ldap://domain-controller.domain -b "dc=domain" '(sAMAccountName=MACHINE$)' ldapsearch in this case would need to be using SASL and have SASL GSSAPI support enabled. On Sun, Sep 20, 2009 at 6:45 PM, Nick <[email protected]> wrote: > Has anyone thus far used the machine account to perform ldap queries > to the active directory ldap server? Essentially what I am trying to > do is have some cron scripts perform ldap queries to the AD server to > get things like account status and such. I realize that technically > the AD server can be setup to allow anonymous ldap queries, or a > separate service account could be used. However due to security > policy constraints in our environment, neither of these can be done. > > Therefore what I am trying to do is get ldapsearch or similar to use > the machine account. I'm guessing the simplest approach would be to > find a way to extract the machine account name and password from > whatever samba database holds it, then pass that directly into > ldapsearch. Ideally I would just use some sort of samba built-in > utility (to avoid needing to pass the password in via insecure command > line args or environment variables that can potentially be read by > other users on the system), however I can't seem to find anything in > the samba suite that performs that function. > > Ideas? > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
