[Samba] LDAP proxy auth

Rowland Penny rowlandpenny at googlemail.com
Sat Oct 25 14:38:24 MDT 2014

On 25/10/14 21:31, steve wrote:
> On 25/10/14 22:23, Rowland Penny wrote:
>> On 25/10/14 20:33, Lars Hanke wrote:
>>> During my test phase I used to manage POSIX attributes in my AD using
>>> ldap-tools with -Y GSSAPI after kinit Administrator. Now this became
>>> impossible unless I logged in as Administrator, since the principal is
>>> tied to the user account - be it only for NFS4. ;) Administrator so
>>> far is not even a POSIX user.
>>> My first idea was to join my POSIX user to some group, which is
>>> allowed to modify user data. Does samba4 recognize this? And which
>>> group would be the correct one?
>>> Alternatively, is there a way to simple bind with Administrator access
>>> rights?
>>> Thanks for your help,
>>> - lars.
>> investigate ldb-tools and kerberos, you will need a keytab, but if you
>> use winbind, this will be created for you.
>> Rowland
> But not if he's on the DC. In that case he could use the MACHINE$ or 
> host/ keys at /path/to/samba/private/secrets.keytab or, I'm almost 
> certain that our counterparts of the kerberos list would recommend he 
> nominates an unprivileged domain user and creates the default keytab 
> containing that key.
> José
Yep, quite correct about the keytab on the DC, but little steps one by 
one, if he can find out how to get samba-tool to export the keytab, he 
should then be able to find out that it is better to use an unprivileged 
user instead of Administrator.


More information about the samba mailing list