[Samba] Authenticating other services against AD - PAM and Postgres - dedicated user

Marc Muehlfeld mmuehlfeld at samba.org
Thu Mar 5 12:53:31 MST 2015


Hello Jakub,

Oh. I forgot this page. It was one of the first I wrote. It's really
unclear and needs to be rewritten. But good if it helped anyway. :-)

Am 05.03.2015 um 09:54 schrieb Jakub Kulesza:
> I've migrated my environment from samba3 NTdomain, where I had LDAP backend
> for users and I used that to authenticate other services against it: like
> pam on other servers and postgres DBs. I have succesully managed to do this
> as well using Samba4 and this howto:
> https://wiki.samba.org/index.php/Authenticating_other_services_against_AD
> chapter openLDAP proxy to AD. But I had to leave administrator credentials
> on the server for the PAM and PAM on Postgres to work.
> 
> Question: what is your recommendation on creating a samba user, that is
> only allowed to list users and groups for the sole purpose of connecting
> through OpenLDAP proxy to PAM?

If it only works with admin credentials, then you try to access data, a
normal user account isn't allowed to read. You can set directory ACLs
via ADUC on containers or the whole domain, like you do on folders.

The ACLs can be granted fine-granular down to attribut level. I
described this here
https://wiki.samba.org/index.php/Delegating_Administration_Permissions#Delegating_.27Joining_Computers_to_the_domain.27-permissions
using the wizzard (sorry. Another of my early pages, that need to be
re-written).

But make sure, you have a working backup, before you change directory
ACLs. You can't reset, if you break something.


Regards,
Marc


More information about the samba mailing list