[Samba] Samba as a PDC with LDAP and Kerberos

Wed Apr 27 19:07:50 GMT 2005

leggett at ci.uchicago.edu wrote:

>So I think I have the steps needed to get this all working, but I think I
>have a chicken/egg problem now.
>  
>
<snip>

>So, is there a way to get it to a point where a normal user in the Domain
>Admins group can join machine and add Samba Accounts, etc without
>requiring a uid 0 user to be in LDAP.
>  
>
The sambaSamAccount entry for root needs to be in the LDAP directory, 
but the rest of the account doesn't.  We have an entry for the root 
account in our LDAP directory that only has the following non-Samba 
attributes defined:

dn: uid=root,dc=jbc,dc=edu
objectClass: account
objectClass: sambaSamAccount
uid: root
displayName: root
cn: root

Although this technically means that there is a uid 0 user in LDAP, it's 
only a uid 0 user as far as Samba is concerned; Linux/Unix won't 
recognize the LDAP portion of the root account as being a valid user.

 From what I've read, this setup won't work if you set ldapsam:trusted = 
yes in smb.conf, but it will work long enough to assign privileges then 
set ldapsam:trusted.

>Also, what pieces are really needed to join a machine to the Samba Domain.
>And what and who needs to be able to read/write LDAP for this to happen?
>
>Pieces I've identified so far. Things starting with '?' I'm not sure about.
>
>- Domain Users, Domain Admins, and Domain Guests groups exist with valid
>sambaSIDs (posixGroup and sambaGroupMapping)
>- Domain Admins group has the SeMachineAccountPrivilege privilege
>  
>
Correct.

>- a sambaDomainName object with a valid sambaSID
>  
>
It's a sambaDomain object, not a sambaDomainName object.  I'm pretty 
sure that Samba will create this for you if it doesn't exist.

>- a user (posixAccount and sambaSamAccount) who has a valid uid, sambaSID,
>whose SID is in the the Domain Admins sambaSIDList
>  
>
Correct.

>? A machine user (posixAccount sambaSamAccount) with a valid uid and
>sambaSID and whose parent LDAP tree is listed as a passwd search path for
>NSS
>  
>
Generally unnecessary.  Although you can create it yourself, it's easier 
to set up an add machine script (such as that provided by the Idealx 
smbldap-tools, if you're using those) and let it take care of this for 
you.  Chapter 6 of the Samba-HOWTO has more information on how machine 
trust accounts are created.

>My last question is this. Does the above user listed above have to have
>write access to the LDAP directory or does only the samba user whose
>password is stored in private/secrets.tdb need write access to the
>directory?
>  
>
Only the Samba user (whoever you specify as the ldap admin dn) needs 
write access.

>Because I'm using Kerberos as my authentication scheme, in order to write
>to the directory you must have an admin principal (userfoo/admin).
>However, these principals should not be in LDAP with UIDs because they're
>never used in that aspect.
>  
>
Sorry, I'm not familiar with Kerberos.

Josh Kelley