Jakub Kulesza
2015-Mar-05 08:54 UTC
[Samba] Authenticating other services against AD - PAM and Postgres - dedicated user
Hi! I've got a samba4 pdc, fileserver and whatnot running now for a few months, a number of users logs in there daily, everyone seems quite happy about it going. I've migrated my environment from samba3 NTdomain, where I had LDAP backend for users and I used that to authenticate other services against it: like pam on other servers and postgres DBs. I have succesully managed to do this as well using Samba4 and this howto: https://wiki.samba.org/index.php/Authenticating_other_services_against_AD chapter openLDAP proxy to AD. But I had to leave administrator credentials on the server for the PAM and PAM on Postgres to work. Question: what is your recommendation on creating a samba user, that is only allowed to list users and groups for the sole purpose of connecting through OpenLDAP proxy to PAM? -- Pozdrawiam Jakub Kulesza
Marc Muehlfeld
2015-Mar-05 19:53 UTC
[Samba] Authenticating other services against AD - PAM and Postgres - dedicated user
Hello Jakub, Oh. I forgot this page. It was one of the first I wrote. It's really unclear and needs to be rewritten. But good if it helped anyway. :-) Am 05.03.2015 um 09:54 schrieb Jakub Kulesza:> I've migrated my environment from samba3 NTdomain, where I had LDAP backend > for users and I used that to authenticate other services against it: like > pam on other servers and postgres DBs. I have succesully managed to do this > as well using Samba4 and this howto: > https://wiki.samba.org/index.php/Authenticating_other_services_against_AD > chapter openLDAP proxy to AD. But I had to leave administrator credentials > on the server for the PAM and PAM on Postgres to work. > > Question: what is your recommendation on creating a samba user, that is > only allowed to list users and groups for the sole purpose of connecting > through OpenLDAP proxy to PAM?If it only works with admin credentials, then you try to access data, a normal user account isn't allowed to read. You can set directory ACLs via ADUC on containers or the whole domain, like you do on folders. The ACLs can be granted fine-granular down to attribut level. I described this here https://wiki.samba.org/index.php/Delegating_Administration_Permissions#Delegating_.27Joining_Computers_to_the_domain.27-permissions using the wizzard (sorry. Another of my early pages, that need to be re-written). But make sure, you have a working backup, before you change directory ACLs. You can't reset, if you break something. Regards, Marc