[Samba] LDAP proxy auth

Rowland Penny rowlandpenny at googlemail.com
Sat Oct 25 15:39:40 MDT 2014

On 25/10/14 22:27, Lars Hanke wrote:
> Am 25.10.2014 23:18, schrieb Rowland Penny:
>> On 25/10/14 22:07, Lars Hanke wrote:
>>> Am 25.10.2014 22:23, schrieb steve:
>>>> On 25/10/14 21:33, Lars Hanke wrote:
>>>>> During my test phase I used to manage POSIX attributes in my AD using
>>>>> ldap-tools with -Y GSSAPI after kinit Administrator. Now this became
>>>>> impossible unless I logged in as Administrator, since the 
>>>>> principal is
>>>>> tied to the user account - be it only for NFS4. ;) Administrator 
>>>>> so far
>>>>> is not even a POSIX user.
>>>>> My first idea was to join my POSIX user to some group, which is 
>>>>> allowed
>>>>> to modify user data. Does samba4 recognize this? And which group 
>>>>> would
>>>>> be the correct one?
>>>>> Alternatively, is there a way to simple bind with Administrator 
>>>>> access
>>>>> rights?
>>>>> Thanks for your help,
>>>>> - lars.
>>>> Hi Lars
>>>> Kerberos expects the root cache under /tmp. I've asked before if 
>>>> you are
>>>> using systemd, which puts the cache under /run/user/0. Of course
>>>> /run/user/0 does not exist unless root has logged in and so root 
>>>> cannot
>>>> obtain a ticket unless he is logged in already. The only way is to
>>>> workaround [1]:
>>> No, I'm not using systemd and my users' keytabs are in /tmp. Searching
>>> harder I found a solution for the alternative in my own notes:
>>> ldapmodify -H ldap://samba.example.com -D
>>> "cn=Administrator,cn=Users,dc=example,dc=com" -W -x -ZZ < changeIt.ldif
>>> Works as I wanted it. I probably leave it like this. My original idea
>>> was making:
>>> ldapmodify -H ldap://samba.example.com -Y GSSAPI < changeIt.ldif
>>> work. This would require me, i.e. my user account, to be allowed to do
>>> the changes, as Administrator does. I added my account to "Domain
>>> Admins", but I still get:
>>> ldap_modify: Insufficient access (50)
>>> Should I consider another group, or is Administrator simply special in
>>> its own right, e.g. by LDAP ACL?
>> Hi Lars, this the command I use to modify records in AD:
>> ldbmodify --url=ldap://dc1.example.com --kerberos=yes
>> --krb5-ccache=/tmp/krb5cc_s4admin /tmp/user.ldif
>> s4admin is a user I created to carry out the modifications
>> Doing it this way means that you do not have to put a password into any
>> file or supply it either as an argument to a script or when prompted
>> when the script runs.
> Specifiying the cache is a nice option in ldb-tools. But actually the 
> first part of my question could be rephrased as:
> How did you create s4admin, such that she has the required access 
> privileges?
> Thanks for the pointer,
>  - lars.
create the  user with samba-tool, use the '--random-password' option, 
once the user is created, use samba-tool again to stop the user expiring 
'samba-tool user setexpiry s4admin --noexpiry'

OK, you now have a non-expiring user s4admin, you now need his keytab:

samba-tool domain exportkeytab /etc/s4admin.keytab --principal=s4admin

You will need to either ensure that the kerberos cache is update 
regularly by cron, or make the script check and update the cache if 


More information about the samba mailing list