[Samba] LDAP proxy auth

Harry Jede walk2sun at arcor.de
Sat Oct 25 16:01:39 MDT 2014

On 22:54:55 wrote Lars Hanke:
> During my test phase I used to manage POSIX attributes in my AD using
> ldap-tools with -Y GSSAPI after kinit Administrator. Now this became
> impossible unless I logged in as Administrator, since the principal
> is tied to the user account - be it only for NFS4. ;) Administrator
> so far is not even a POSIX user.
> My first idea was to join my POSIX user to some group, which is
> allowed to modify user data. Does samba4 recognize this?

> And which
> group would be the correct one?
Domain Admins
> Alternatively, is there a way to simple bind with Administrator
> access rights?

Get your admin dn  on your dc:

# ldbsearch -H /var/lib/samba/private/sam.ldb cn=administrator dn|grep 
dn: CN=Administrator,CN=Users,DC=ad,DC=schule,DC=lan

Use this dn on any PC on your network, even if the PC is
 not joined to your domain.

ldapsearch -xLLL -D CN=Administrator,CN=Users,DC=ad,DC=schule,DC=lan -W 
-H ldap://dc0 -b DC=ad,DC=schule,DC=lan '(objectclass=user)' dn

No need for kerberos or ssl. But do not forget:
 all data is transfered in clear text. :-(

> Thanks for your help,
> - lars.


	Harry Jede

More information about the samba mailing list