search for: krbtgts

.... ..." \ -LLL '(cn=lastname firstname*)' mail As long as I run this command as root everything is okay. Since ldapsearch isn't setuid root, and the Kerberos credentials cache /tmp/krb5cc_0 is mode 0600 root.root, normal users can't run an ldapsearch against the KDC. Creating KRBTGTs for 5000+ users isn't really an option :-) The PDF creating script (which was derived from smbgenpdfprn) needs to run this query but Samba runs the backend script with the connecting user's UID/GID mapped by winbind. I tried "force user = root" but that did not work. Using sudo...