[Samba] Samba as a PDC with LDAP and Kerberos
Josh Kelley
josh at jbc.edu
Wed Apr 27 19:07:50 GMT 2005
leggett at ci.uchicago.edu wrote:
>So I think I have the steps needed to get this all working, but I think I
>have a chicken/egg problem now.
>
>
<snip>
>So, is there a way to get it to a point where a normal user in the Domain
>Admins group can join machine and add Samba Accounts, etc without
>requiring a uid 0 user to be in LDAP.
>
>
The sambaSamAccount entry for root needs to be in the LDAP directory,
but the rest of the account doesn't. We have an entry for the root
account in our LDAP directory that only has the following non-Samba
attributes defined:
dn: uid=root,dc=jbc,dc=edu
objectClass: account
objectClass: sambaSamAccount
uid: root
displayName: root
cn: root
Although this technically means that there is a uid 0 user in LDAP, it's
only a uid 0 user as far as Samba is concerned; Linux/Unix won't
recognize the LDAP portion of the root account as being a valid user.
From what I've read, this setup won't work if you set ldapsam:trusted =
yes in smb.conf, but it will work long enough to assign privileges then
set ldapsam:trusted.
>Also, what pieces are really needed to join a machine to the Samba Domain.
>And what and who needs to be able to read/write LDAP for this to happen?
>
>Pieces I've identified so far. Things starting with '?' I'm not sure about.
>
>- Domain Users, Domain Admins, and Domain Guests groups exist with valid
>sambaSIDs (posixGroup and sambaGroupMapping)
>- Domain Admins group has the SeMachineAccountPrivilege privilege
>
>
Correct.
>- a sambaDomainName object with a valid sambaSID
>
>
It's a sambaDomain object, not a sambaDomainName object. I'm pretty
sure that Samba will create this for you if it doesn't exist.
>- a user (posixAccount and sambaSamAccount) who has a valid uid, sambaSID,
>whose SID is in the the Domain Admins sambaSIDList
>
>
Correct.
>? A machine user (posixAccount sambaSamAccount) with a valid uid and
>sambaSID and whose parent LDAP tree is listed as a passwd search path for
>NSS
>
>
Generally unnecessary. Although you can create it yourself, it's easier
to set up an add machine script (such as that provided by the Idealx
smbldap-tools, if you're using those) and let it take care of this for
you. Chapter 6 of the Samba-HOWTO has more information on how machine
trust accounts are created.
>My last question is this. Does the above user listed above have to have
>write access to the LDAP directory or does only the samba user whose
>password is stored in private/secrets.tdb need write access to the
>directory?
>
>
Only the Samba user (whoever you specify as the ldap admin dn) needs
write access.
>Because I'm using Kerberos as my authentication scheme, in order to write
>to the directory you must have an admin principal (userfoo/admin).
>However, these principals should not be in LDAP with UIDs because they're
>never used in that aspect.
>
>
Sorry, I'm not familiar with Kerberos.
Josh Kelley
More information about the samba
mailing list