[Samba] LDAP proxy auth

[Rowland Penny]

On 25/10/14 22:27, Lars Hanke wrote:
> Am 25.10.2014 23:18, schrieb Rowland Penny:
>> On 25/10/14 22:07, Lars Hanke wrote:
>>> Am 25.10.2014 22:23, schrieb steve:
>>>> On 25/10/14 21:33, Lars Hanke wrote:
>>>>> During my test phase I used to manage POSIX attributes in my AD using
>>>>> ldap-tools with -Y GSSAPI after kinit Administrator. Now this became
>>>>> impossible unless I logged in as Administrator, since the 
>>>>> principal is
>>>>> tied to the user account - be it only for NFS4. ;) Administrator 
>>>>> so far
>>>>> is not even a POSIX user.
>>>>>
>>>>> My first idea was to join my POSIX user to some group, which is 
>>>>> allowed
>>>>> to modify user data. Does samba4 recognize this? And which group 
>>>>> would
>>>>> be the correct one?
>>>>>
>>>>> Alternatively, is there a way to simple bind with Administrator 
>>>>> access
>>>>> rights?
>>>>>
>>>>> Thanks for your help,
>>>>> - lars.
>>>>
>>>> Hi Lars
>>>> Kerberos expects the root cache under /tmp. I've asked before if 
>>>> you are
>>>> using systemd, which puts the cache under /run/user/0. Of course
>>>> /run/user/0 does not exist unless root has logged in and so root 
>>>> cannot
>>>> obtain a ticket unless he is logged in already. The only way is to
>>>> workaround [1]:
>>>
>>> No, I'm not using systemd and my users' keytabs are in /tmp. Searching
>>> harder I found a solution for the alternative in my own notes:
>>>
>>> ldapmodify -H ldap://samba.example.com -D
>>> "cn=Administrator,cn=Users,dc=example,dc=com" -W -x -ZZ < changeIt.ldif
>>>
>>> Works as I wanted it. I probably leave it like this. My original idea
>>> was making:
>>>
>>> ldapmodify -H ldap://samba.example.com -Y GSSAPI < changeIt.ldif
>>>
>>> work. This would require me, i.e. my user account, to be allowed to do
>>> the changes, as Administrator does. I added my account to "Domain
>>> Admins", but I still get:
>>>
>>> ldap_modify: Insufficient access (50)
>>>
>>> Should I consider another group, or is Administrator simply special in
>>> its own right, e.g. by LDAP ACL?
>>>
>>>
>> Hi Lars, this the command I use to modify records in AD:
>>
>> ldbmodify --url=ldap://dc1.example.com --kerberos=yes
>> --krb5-ccache=/tmp/krb5cc_s4admin /tmp/user.ldif
>>
>> s4admin is a user I created to carry out the modifications
>>
>> Doing it this way means that you do not have to put a password into any
>> file or supply it either as an argument to a script or when prompted
>> when the script runs.
>
> Specifiying the cache is a nice option in ldb-tools. But actually the 
> first part of my question could be rephrased as:
>
> How did you create s4admin, such that she has the required access 
> privileges?
>
> Thanks for the pointer,
>  - lars.
>
create the  user with samba-tool, use the '--random-password' option, 
once the user is created, use samba-tool again to stop the user expiring 
'samba-tool user setexpiry s4admin --noexpiry'

OK, you now have a non-expiring user s4admin, you now need his keytab:

samba-tool domain exportkeytab /etc/s4admin.keytab --principal=s4admin

You will need to either ensure that the kerberos cache is update 
regularly by cron, or make the script check and update the cache if 
required.

Rowland