During my test phase I used to manage POSIX attributes in my AD using ldap-tools with -Y GSSAPI after kinit Administrator. Now this became impossible unless I logged in as Administrator, since the principal is tied to the user account - be it only for NFS4. ;) Administrator so far is not even a POSIX user. My first idea was to join my POSIX user to some group, which is allowed to modify user data. Does samba4 recognize this? And which group would be the correct one? Alternatively, is there a way to simple bind with Administrator access rights? Thanks for your help, - lars.
On 25/10/14 21:33, Lars Hanke wrote:> During my test phase I used to manage POSIX attributes in my AD using > ldap-tools with -Y GSSAPI after kinit Administrator. Now this became > impossible unless I logged in as Administrator, since the principal is > tied to the user account - be it only for NFS4. ;) Administrator so far > is not even a POSIX user. > > My first idea was to join my POSIX user to some group, which is allowed > to modify user data. Does samba4 recognize this? And which group would > be the correct one? > > Alternatively, is there a way to simple bind with Administrator access > rights? > > Thanks for your help, > - lars.Hi Lars Kerberos expects the root cache under /tmp. I've asked before if you are using systemd, which puts the cache under /run/user/0. Of course /run/user/0 does not exist unless root has logged in and so root cannot obtain a ticket unless he is logged in already. The only way is to workaround [1]: See if this helps when added to [libdefaults] at /etc/krb5.conf: default_ccache_name = /tmp/krb5cc_%{uid} Now create a keytab and extract the key for a domain user therein: kinit -k -t /your/keytab adminuser The combination of the two will obtain a ticket without the need for root to authenticate. HTH, Steve [1] 'The only way...'? Kerberos blame systemd and systemd don't know what Kerberos is.
On 25/10/14 20:33, Lars Hanke wrote:> During my test phase I used to manage POSIX attributes in my AD using > ldap-tools with -Y GSSAPI after kinit Administrator. Now this became > impossible unless I logged in as Administrator, since the principal is > tied to the user account - be it only for NFS4. ;) Administrator so > far is not even a POSIX user. > > My first idea was to join my POSIX user to some group, which is > allowed to modify user data. Does samba4 recognize this? And which > group would be the correct one? > > Alternatively, is there a way to simple bind with Administrator access > rights? > > Thanks for your help, > - lars.investigate ldb-tools and kerberos, you will need a keytab, but if you use winbind, this will be created for you. Rowland