[Samba] Samba as a PDC with LDAP and Kerberos

Ti Leggett leggett at ci.uchicago.edu
Tue May 31 20:51:55 GMT 2005 

Why would the add machine script fail? Here's a quick overview of my
setup:

All Kerberos authenticated admin users (user/admin) have write to the
entire directory
The Samba admin user has write to the relevant samba branches
All Kerberos authenticated non-admin users have read access to
non-sensitve portions of the directory.

There are three users that could be involved in this process:

leggett : A normal user (inetOrgPerson, posizUser, sambaSamAccount) who
is a Domain Admin. Does not have write access to the directory. Password
stored in Kerberos, sambaNTPassword stored in LDAP.

samba_server : An LDAP user (person, uidObject) who has write access to
the directory. Password stored in LDAP. sambaNTPassword not in LDAP as
user isn't a sambaSamAccount

root: A local unix user who has an entry in LDAP (person,
sambaSamAccount). Does not have write access to the directory. Password
is kept locally, sambaNTPassword kept in LDAP. Password and
sambaNTPassword are not the same.


So let me make sure I have all this straight on how it all works.

legget, a Domain Admin, uses the SeMachineAccountPrivilege to add the
machine to the Samba domain. In this process smbd queries LDAP as
samba_server to see if the machine account is already created. If it's
not, smbd changes to root and call the script in the "add machine
script" directive. That script should be responsible for changing to a
user or gaining Kerberos credentials to write to the directory.

Is that about right?

On Mon, 2005-05-30 at 21:05 -0500, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Ti Leggett wrote:
> 
> > So, here's my new question (I'm full of em): Are LDAP actions 
> > done as the Samab ldap admin dn or the user doing the
> > action? It appears the latter is the case.
> 
> All LDAP actions from smbd are done as the ldap admin dn, but
> the add machine script should be called under root if the user
> has the SeMachineAccountPrivilege.
> 
> 
> 
> 
> 
> 
> 
> cheers, jerry
> =====================================================================
> Alleviating the pain of Windows(tm)      ------- http://www.samba.org
> GnuPG Key                ----- http://www.plainjoe.org/gpg_public.asc
> "I never saved anything for the swim back."     Ethan Hawk in Gattaca
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.5 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> 
> iD8DBQFCm8ZvIR7qMdg1EfYRAi/zAJ9h6Bzhz5algsAA6hB4O+vyl+sP3gCgu4hP
> wxOm2UkvC6BXHCpwwtmcxNk=
> =AFm2
> -----END PGP SIGNATURE-----
>

More information about the samba mailing list