[Samba] LDAP proxy auth

[Rowland Penny]

On 25/10/14 21:31, steve wrote:
> On 25/10/14 22:23, Rowland Penny wrote:
>> On 25/10/14 20:33, Lars Hanke wrote:
>>> During my test phase I used to manage POSIX attributes in my AD using
>>> ldap-tools with -Y GSSAPI after kinit Administrator. Now this became
>>> impossible unless I logged in as Administrator, since the principal is
>>> tied to the user account - be it only for NFS4. ;) Administrator so
>>> far is not even a POSIX user.
>>>
>>> My first idea was to join my POSIX user to some group, which is
>>> allowed to modify user data. Does samba4 recognize this? And which
>>> group would be the correct one?
>>>
>>> Alternatively, is there a way to simple bind with Administrator access
>>> rights?
>>>
>>> Thanks for your help,
>>> - lars.
>> investigate ldb-tools and kerberos, you will need a keytab, but if you
>> use winbind, this will be created for you.
>>
>> Rowland
>>
> But not if he's on the DC. In that case he could use the MACHINE$ or 
> host/ keys at /path/to/samba/private/secrets.keytab or, I'm almost 
> certain that our counterparts of the kerberos list would recommend he 
> nominates an unprivileged domain user and creates the default keytab 
> containing that key.
> José
>
Yep, quite correct about the keytab on the DC, but little steps one by 
one, if he can find out how to get samba-tool to export the keytab, he 
should then be able to find out that it is better to use an unprivileged 
user instead of Administrator.

Rowland