[Samba] LDAP proxy auth

Rowland Penny rowlandpenny at googlemail.com
Sat Oct 25 15:18:25 MDT 2014

On 25/10/14 22:07, Lars Hanke wrote:
> Am 25.10.2014 22:23, schrieb steve:
>> On 25/10/14 21:33, Lars Hanke wrote:
>>> During my test phase I used to manage POSIX attributes in my AD using
>>> ldap-tools with -Y GSSAPI after kinit Administrator. Now this became
>>> impossible unless I logged in as Administrator, since the principal is
>>> tied to the user account - be it only for NFS4. ;) Administrator so far
>>> is not even a POSIX user.
>>> My first idea was to join my POSIX user to some group, which is allowed
>>> to modify user data. Does samba4 recognize this? And which group would
>>> be the correct one?
>>> Alternatively, is there a way to simple bind with Administrator access
>>> rights?
>>> Thanks for your help,
>>> - lars.
>> Hi Lars
>> Kerberos expects the root cache under /tmp. I've asked before if you are
>> using systemd, which puts the cache under /run/user/0. Of course
>> /run/user/0 does not exist unless root has logged in and so root cannot
>> obtain a ticket unless he is logged in already. The only way is to
>> workaround [1]:
> No, I'm not using systemd and my users' keytabs are in /tmp. Searching 
> harder I found a solution for the alternative in my own notes:
> ldapmodify -H ldap://samba.example.com -D 
> "cn=Administrator,cn=Users,dc=example,dc=com" -W -x -ZZ < changeIt.ldif
> Works as I wanted it. I probably leave it like this. My original idea 
> was making:
> ldapmodify -H ldap://samba.example.com -Y GSSAPI < changeIt.ldif
> work. This would require me, i.e. my user account, to be allowed to do 
> the changes, as Administrator does. I added my account to "Domain 
> Admins", but I still get:
> ldap_modify: Insufficient access (50)
> Should I consider another group, or is Administrator simply special in 
> its own right, e.g. by LDAP ACL?
Hi Lars, this the command I use to modify records in AD:

ldbmodify --url=ldap://dc1.example.com --kerberos=yes 
--krb5-ccache=/tmp/krb5cc_s4admin /tmp/user.ldif

s4admin is a user I created to carry out the modifications

Doing it this way means that you do not have to put a password into any 
file or supply it either as an argument to a script or when prompted 
when the script runs.


More information about the samba mailing list