[Samba] LDAP proxy auth
Harry Jede
walk2sun at arcor.de
Sat Oct 25 16:01:39 MDT 2014
On 22:54:55 wrote Lars Hanke:
> During my test phase I used to manage POSIX attributes in my AD using
> ldap-tools with -Y GSSAPI after kinit Administrator. Now this became
> impossible unless I logged in as Administrator, since the principal
> is tied to the user account - be it only for NFS4. ;) Administrator
> so far is not even a POSIX user.
>
> My first idea was to join my POSIX user to some group, which is
> allowed to modify user data. Does samba4 recognize this?
Yes
> And which
> group would be the correct one?
Domain Admins
> Alternatively, is there a way to simple bind with Administrator
> access rights?
Yes
Get your admin dn on your dc:
# ldbsearch -H /var/lib/samba/private/sam.ldb cn=administrator dn|grep
^dn
dn: CN=Administrator,CN=Users,DC=ad,DC=schule,DC=lan
Use this dn on any PC on your network, even if the PC is
not joined to your domain.
ldapsearch -xLLL -D CN=Administrator,CN=Users,DC=ad,DC=schule,DC=lan -W
-H ldap://dc0 -b DC=ad,DC=schule,DC=lan '(objectclass=user)' dn
No need for kerberos or ssl. But do not forget:
all data is transfered in clear text. :-(
>
> Thanks for your help,
> - lars.
--
Regards
Harry Jede
More information about the samba
mailing list