[Samba] Auto generated certificates?

Andrew Bartlett abartlet at samba.org
Fri Nov 11 07:49:50 UTC 2022

On Fri, 2022-11-11 at 09:46 +0200, Harald Hannelius via samba wrote:
> On Wed, 9 Nov 2022, Rowland Penny via samba wrote:
> > On 09/11/2022 12:29, Kees van Vloten via samba wrote:
> > > You're right about kerberos, it sends encrypted data.But reading
> > > the use-case: create, modify, delete, (etc.) accounts, I don't
> > > see how that can be done with kerberos alone.
> > 
> > You can do most of those with samba-tool, the only problem would be
> > 'modify'. You can rename a user with samba-tool, but if want to
> > just change an attribute value, you will need to write a script
> > around ldbsearch and ldbmodify.
> We are actually doing this right now, from PHP through SSH. But the
> overhead of starting a SSH-session, starting smb-tool and then doing
> the operation for every user is too much when we have thousands of
> users. We also have the need to create and remove hundreds of users
> every spring and autumn.
> That's why we want to use a library in PHP and LDAP instead. If I
> understood my colleague correctly we can decrese the time for each
> operation at least one order of magnitude.

If you are making modifications like that you certainly should be using
LDAP, for better control and avoiding all the indirection.  The primary
stable remote API for Samba is direct LDAP to the LDAP server.
Andrew Bartlett

Andrew Bartlett (he/him)       https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open SourceSolutions

More information about the samba mailing list