Hi,
I recently triied to set up a special PDF creation service for a customer. The
Samba3 server is a AD2003 member server. Since the created PDF files
need to be sent via e-mail to the creators, I need to issue an LDAP
query against the AD, like
ldapsearch -h 10.243.50.22 -Y GSSAPI -b "ou=user,ou=... ..." \
-LLL '(cn=lastname firstname*)' mail
As long as I run this command as root everything is okay. Since ldapsearch
isn't setuid root, and the Kerberos credentials cache /tmp/krb5cc_0 is
mode 0600 root.root, normal users can't run an ldapsearch against the KDC.
Creating KRBTGTs for 5000+ users isn't really an option :-)
The PDF creating script (which was derived from smbgenpdfprn) needs to
run this query but Samba runs the backend script with the connecting
user's UID/GID mapped by winbind. I tried "force user = root" but
that
did not work.
Using sudo w/ NOPASSWD appears to be the straightforward solution. As a
local user, I can run "sudo ldapsearch ...." just fine, but when an AD
user does that either nothing happens at all (command hangs) or I get
an error like
+ sudo ldapsearch -v -h 10.243.50.22 -Y GSSAPI -b ou=user,ou=... -LLL
'(cn=XXXXX XXXXXXXXXX*)' mail
ldap_initialize( ldap://10.243.50.22 )
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error:
Miscellaneous failure (see text) (No such file or directory)
particularly within the backend script.
What happens here? I did add winbind to /etc/pam.d/sudo but as I understand
this should not be needed to sudo _from_ the AD user _to_ root (only the
other way round).
I googled for various ldap_sasl_interactive_bind_s errors but nothing
useful comes up. I have no idea if that's a sudo, ldapsearch or
Samba/winbind problem.
A setuid root C wrapper did the trick but is that how it's designed?
--
Due to lack of disk space, this fortune database has been
discontinued.
