[Samba] LDAP proxy auth
Lars Hanke
debian at lhanke.de
Sat Oct 25 16:43:32 MDT 2014
Am 26.10.2014 00:01, schrieb Harry Jede:
> On 22:54:55 wrote Lars Hanke:
>> During my test phase I used to manage POSIX attributes in my AD using
>> ldap-tools with -Y GSSAPI after kinit Administrator. Now this became
>> impossible unless I logged in as Administrator, since the principal
>> is tied to the user account - be it only for NFS4. ;) Administrator
>> so far is not even a POSIX user.
>>
>> My first idea was to join my POSIX user to some group, which is
>> allowed to modify user data. Does samba4 recognize this?
> Yes
>
>> And which
>> group would be the correct one?
> Domain Admins
>
>> Alternatively, is there a way to simple bind with Administrator
>> access rights?
> Yes
>
> Get your admin dn on your dc:
>
> # ldbsearch -H /var/lib/samba/private/sam.ldb cn=administrator dn|grep
> ^dn
> dn: CN=Administrator,CN=Users,DC=ad,DC=schule,DC=lan
>
> Use this dn on any PC on your network, even if the PC is
> not joined to your domain.
>
> ldapsearch -xLLL -D CN=Administrator,CN=Users,DC=ad,DC=schule,DC=lan -W
> -H ldap://dc0 -b DC=ad,DC=schule,DC=lan '(objectclass=user)' dn
>
>
> No need for kerberos or ssl. But do not forget:
> all data is transfered in clear text. :-(
This can be helped by setting up TLS:
ldapmodify -H ldap://samba.ad.microsult.de -D
"cn=Administrator,cn=Users,dc=ad,dc=microsult,dc=de" -W -x -ZZ <
changePGID.ldif
;)
Now that this is solved, I got to find out why ldap-tools work like a
charm, but python-ldap all of a sudden has authentication problems using
the same GSSAPI. >:(
More information about the samba
mailing list