[Samba] LDAP proxy auth

Lars Hanke debian at lhanke.de
Sat Oct 25 15:27:40 MDT 2014 

Am 25.10.2014 23:18, schrieb Rowland Penny:
> On 25/10/14 22:07, Lars Hanke wrote:
>> Am 25.10.2014 22:23, schrieb steve:
>>> On 25/10/14 21:33, Lars Hanke wrote:
>>>> During my test phase I used to manage POSIX attributes in my AD using
>>>> ldap-tools with -Y GSSAPI after kinit Administrator. Now this became
>>>> impossible unless I logged in as Administrator, since the principal is
>>>> tied to the user account - be it only for NFS4. ;) Administrator so far
>>>> is not even a POSIX user.
>>>>
>>>> My first idea was to join my POSIX user to some group, which is allowed
>>>> to modify user data. Does samba4 recognize this? And which group would
>>>> be the correct one?
>>>>
>>>> Alternatively, is there a way to simple bind with Administrator access
>>>> rights?
>>>>
>>>> Thanks for your help,
>>>> - lars.
>>>
>>> Hi Lars
>>> Kerberos expects the root cache under /tmp. I've asked before if you are
>>> using systemd, which puts the cache under /run/user/0. Of course
>>> /run/user/0 does not exist unless root has logged in and so root cannot
>>> obtain a ticket unless he is logged in already. The only way is to
>>> workaround [1]:
>>
>> No, I'm not using systemd and my users' keytabs are in /tmp. Searching
>> harder I found a solution for the alternative in my own notes:
>>
>> ldapmodify -H ldap://samba.example.com -D
>> "cn=Administrator,cn=Users,dc=example,dc=com" -W -x -ZZ < changeIt.ldif
>>
>> Works as I wanted it. I probably leave it like this. My original idea
>> was making:
>>
>> ldapmodify -H ldap://samba.example.com -Y GSSAPI < changeIt.ldif
>>
>> work. This would require me, i.e. my user account, to be allowed to do
>> the changes, as Administrator does. I added my account to "Domain
>> Admins", but I still get:
>>
>> ldap_modify: Insufficient access (50)
>>
>> Should I consider another group, or is Administrator simply special in
>> its own right, e.g. by LDAP ACL?
>>
>>
> Hi Lars, this the command I use to modify records in AD:
>
> ldbmodify --url=ldap://dc1.example.com --kerberos=yes
> --krb5-ccache=/tmp/krb5cc_s4admin /tmp/user.ldif
>
> s4admin is a user I created to carry out the modifications
>
> Doing it this way means that you do not have to put a password into any
> file or supply it either as an argument to a script or when prompted
> when the script runs.

Specifiying the cache is a nice option in ldb-tools. But actually the 
first part of my question could be rephrased as:

How did you create s4admin, such that she has the required access 
privileges?

Thanks for the pointer,
  - lars.

More information about the samba mailing list