[Samba] LDAP proxy auth
rowlandpenny at googlemail.com
Sat Oct 25 14:38:24 MDT 2014
On 25/10/14 21:31, steve wrote:
> On 25/10/14 22:23, Rowland Penny wrote:
>> On 25/10/14 20:33, Lars Hanke wrote:
>>> During my test phase I used to manage POSIX attributes in my AD using
>>> ldap-tools with -Y GSSAPI after kinit Administrator. Now this became
>>> impossible unless I logged in as Administrator, since the principal is
>>> tied to the user account - be it only for NFS4. ;) Administrator so
>>> far is not even a POSIX user.
>>> My first idea was to join my POSIX user to some group, which is
>>> allowed to modify user data. Does samba4 recognize this? And which
>>> group would be the correct one?
>>> Alternatively, is there a way to simple bind with Administrator access
>>> Thanks for your help,
>>> - lars.
>> investigate ldb-tools and kerberos, you will need a keytab, but if you
>> use winbind, this will be created for you.
> But not if he's on the DC. In that case he could use the MACHINE$ or
> host/ keys at /path/to/samba/private/secrets.keytab or, I'm almost
> certain that our counterparts of the kerberos list would recommend he
> nominates an unprivileged domain user and creates the default keytab
> containing that key.
Yep, quite correct about the keytab on the DC, but little steps one by
one, if he can find out how to get samba-tool to export the keytab, he
should then be able to find out that it is better to use an unprivileged
user instead of Administrator.
More information about the samba