[Samba] LDAP proxy auth
Lars Hanke
debian at lhanke.de
Sat Oct 25 15:07:37 MDT 2014
Am 25.10.2014 22:23, schrieb steve:
> On 25/10/14 21:33, Lars Hanke wrote:
>> During my test phase I used to manage POSIX attributes in my AD using
>> ldap-tools with -Y GSSAPI after kinit Administrator. Now this became
>> impossible unless I logged in as Administrator, since the principal is
>> tied to the user account - be it only for NFS4. ;) Administrator so far
>> is not even a POSIX user.
>>
>> My first idea was to join my POSIX user to some group, which is allowed
>> to modify user data. Does samba4 recognize this? And which group would
>> be the correct one?
>>
>> Alternatively, is there a way to simple bind with Administrator access
>> rights?
>>
>> Thanks for your help,
>> - lars.
>
> Hi Lars
> Kerberos expects the root cache under /tmp. I've asked before if you are
> using systemd, which puts the cache under /run/user/0. Of course
> /run/user/0 does not exist unless root has logged in and so root cannot
> obtain a ticket unless he is logged in already. The only way is to
> workaround [1]:
No, I'm not using systemd and my users' keytabs are in /tmp. Searching
harder I found a solution for the alternative in my own notes:
ldapmodify -H ldap://samba.example.com -D
"cn=Administrator,cn=Users,dc=example,dc=com" -W -x -ZZ < changeIt.ldif
Works as I wanted it. I probably leave it like this. My original idea
was making:
ldapmodify -H ldap://samba.example.com -Y GSSAPI < changeIt.ldif
work. This would require me, i.e. my user account, to be allowed to do
the changes, as Administrator does. I added my account to "Domain
Admins", but I still get:
ldap_modify: Insufficient access (50)
Should I consider another group, or is Administrator simply special in
its own right, e.g. by LDAP ACL?
More information about the samba
mailing list