[Samba] LDAP proxy auth

Lars Hanke debian at lhanke.de
Sat Oct 25 16:43:32 MDT 2014

Am 26.10.2014 00:01, schrieb Harry Jede:
> On 22:54:55 wrote Lars Hanke:
>> During my test phase I used to manage POSIX attributes in my AD using
>> ldap-tools with -Y GSSAPI after kinit Administrator. Now this became
>> impossible unless I logged in as Administrator, since the principal
>> is tied to the user account - be it only for NFS4. ;) Administrator
>> so far is not even a POSIX user.
>> My first idea was to join my POSIX user to some group, which is
>> allowed to modify user data. Does samba4 recognize this?
> Yes
>> And which
>> group would be the correct one?
> Domain Admins
>> Alternatively, is there a way to simple bind with Administrator
>> access rights?
> Yes
> Get your admin dn  on your dc:
> # ldbsearch -H /var/lib/samba/private/sam.ldb cn=administrator dn|grep
> ^dn
> dn: CN=Administrator,CN=Users,DC=ad,DC=schule,DC=lan
> Use this dn on any PC on your network, even if the PC is
>   not joined to your domain.
> ldapsearch -xLLL -D CN=Administrator,CN=Users,DC=ad,DC=schule,DC=lan -W
> -H ldap://dc0 -b DC=ad,DC=schule,DC=lan '(objectclass=user)' dn
> No need for kerberos or ssl. But do not forget:
>   all data is transfered in clear text. :-(

This can be helped by setting up TLS:

ldapmodify -H ldap://samba.ad.microsult.de -D 
"cn=Administrator,cn=Users,dc=ad,dc=microsult,dc=de" -W -x -ZZ < 


Now that this is solved, I got to find out why ldap-tools work like a 
charm, but python-ldap all of a sudden has authentication problems using 
the same GSSAPI. >:(

More information about the samba mailing list