[Samba] LDAP proxy auth

steve steve at steve-ss.com
Sat Oct 25 14:31:59 MDT 2014

On 25/10/14 22:23, Rowland Penny wrote:
> On 25/10/14 20:33, Lars Hanke wrote:
>> During my test phase I used to manage POSIX attributes in my AD using
>> ldap-tools with -Y GSSAPI after kinit Administrator. Now this became
>> impossible unless I logged in as Administrator, since the principal is
>> tied to the user account - be it only for NFS4. ;) Administrator so
>> far is not even a POSIX user.
>> My first idea was to join my POSIX user to some group, which is
>> allowed to modify user data. Does samba4 recognize this? And which
>> group would be the correct one?
>> Alternatively, is there a way to simple bind with Administrator access
>> rights?
>> Thanks for your help,
>> - lars.
> investigate ldb-tools and kerberos, you will need a keytab, but if you
> use winbind, this will be created for you.
> Rowland
But not if he's on the DC. In that case he could use the MACHINE$ or 
host/ keys at /path/to/samba/private/secrets.keytab or, I'm almost 
certain that our counterparts of the kerberos list would recommend he 
nominates an unprivileged domain user and creates the default keytab 
containing that key.

More information about the samba mailing list