[Samba] LDAP proxy auth

steve steve at steve-ss.com
Sat Oct 25 14:23:03 MDT 2014


On 25/10/14 21:33, Lars Hanke wrote:
> During my test phase I used to manage POSIX attributes in my AD using
> ldap-tools with -Y GSSAPI after kinit Administrator. Now this became
> impossible unless I logged in as Administrator, since the principal is
> tied to the user account - be it only for NFS4. ;) Administrator so far
> is not even a POSIX user.
>
> My first idea was to join my POSIX user to some group, which is allowed
> to modify user data. Does samba4 recognize this? And which group would
> be the correct one?
>
> Alternatively, is there a way to simple bind with Administrator access
> rights?
>
> Thanks for your help,
> - lars.

Hi Lars
Kerberos expects the root cache under /tmp. I've asked before if you are 
using systemd, which puts the cache under /run/user/0. Of course 
/run/user/0 does not exist unless root has logged in and so root cannot 
obtain a ticket unless he is logged in already. The only way is to 
workaround [1]:

See if this helps when added to [libdefaults] at /etc/krb5.conf:
  default_ccache_name = /tmp/krb5cc_%{uid}

Now create a keytab and extract the key for a domain user therein:
kinit -k -t /your/keytab adminuser

The combination of the two will obtain a ticket without the need for 
root to authenticate.
HTH,
Steve

[1]
'The only way...'? Kerberos blame systemd and systemd don't know what 
Kerberos is.


More information about the samba mailing list