[Samba] LDAP proxy auth

Lars Hanke debian at lhanke.de
Sat Oct 25 15:07:37 MDT 2014

Am 25.10.2014 22:23, schrieb steve:
> On 25/10/14 21:33, Lars Hanke wrote:
>> During my test phase I used to manage POSIX attributes in my AD using
>> ldap-tools with -Y GSSAPI after kinit Administrator. Now this became
>> impossible unless I logged in as Administrator, since the principal is
>> tied to the user account - be it only for NFS4. ;) Administrator so far
>> is not even a POSIX user.
>> My first idea was to join my POSIX user to some group, which is allowed
>> to modify user data. Does samba4 recognize this? And which group would
>> be the correct one?
>> Alternatively, is there a way to simple bind with Administrator access
>> rights?
>> Thanks for your help,
>> - lars.
> Hi Lars
> Kerberos expects the root cache under /tmp. I've asked before if you are
> using systemd, which puts the cache under /run/user/0. Of course
> /run/user/0 does not exist unless root has logged in and so root cannot
> obtain a ticket unless he is logged in already. The only way is to
> workaround [1]:

No, I'm not using systemd and my users' keytabs are in /tmp. Searching 
harder I found a solution for the alternative in my own notes:

ldapmodify -H ldap://samba.example.com -D 
"cn=Administrator,cn=Users,dc=example,dc=com" -W -x -ZZ < changeIt.ldif

Works as I wanted it. I probably leave it like this. My original idea 
was making:

ldapmodify -H ldap://samba.example.com -Y GSSAPI < changeIt.ldif

work. This would require me, i.e. my user account, to be allowed to do 
the changes, as Administrator does. I added my account to "Domain 
Admins", but I still get:

ldap_modify: Insufficient access (50)

Should I consider another group, or is Administrator simply special in 
its own right, e.g. by LDAP ACL?

More information about the samba mailing list