[Samba] LDAP proxy auth
steve
steve at steve-ss.com
Sat Oct 25 14:31:59 MDT 2014
On 25/10/14 22:23, Rowland Penny wrote:
> On 25/10/14 20:33, Lars Hanke wrote:
>> During my test phase I used to manage POSIX attributes in my AD using
>> ldap-tools with -Y GSSAPI after kinit Administrator. Now this became
>> impossible unless I logged in as Administrator, since the principal is
>> tied to the user account - be it only for NFS4. ;) Administrator so
>> far is not even a POSIX user.
>>
>> My first idea was to join my POSIX user to some group, which is
>> allowed to modify user data. Does samba4 recognize this? And which
>> group would be the correct one?
>>
>> Alternatively, is there a way to simple bind with Administrator access
>> rights?
>>
>> Thanks for your help,
>> - lars.
> investigate ldb-tools and kerberos, you will need a keytab, but if you
> use winbind, this will be created for you.
>
> Rowland
>
But not if he's on the DC. In that case he could use the MACHINE$ or
host/ keys at /path/to/samba/private/secrets.keytab or, I'm almost
certain that our counterparts of the kerberos list would recommend he
nominates an unprivileged domain user and creates the default keytab
containing that key.
José
More information about the samba
mailing list