Hi list, I'm trying to work on a script that should not care what DC is up, as long as one is. I want to be able to use the samba-tool command in our Samba-AD domain from a domain member, using kerberos. I have the kinit command granting me a ticket. I want to use that ticket to remotely add users to the domain controller, while I'm on the domain member's console. For example: root at fileserver.example.com:~# kinit administrator Password for administrator at EXAMPLE.COM: root at fileserver.example.com:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator at EXAMPLE.COM Valid starting Expires Service principal 08/01/19 13:03:00 08/01/19 23:03:00 krbtgt/EXAMPLE.COM at EXAMPLE.COM renew until 09/01/19 13:02:59 root at fileserver.example.com:~# samba-tool user list --kerberos=yes ERROR(ldb): uncaught exception - ldb_search: invalid basedn '(null)' File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/user.py", line 445, in run attrs=["samaccountname"]) The commands run fine from the domain controller, but we want to run the commands from a member server. Is this possible, either using usernames/passwords or kerberos? We are on Debian 9.6, running Samba 4.5.12-Debian (Yes, I know it's EOL for Samba, but it's the latest in the repo).
On Tue, 8 Jan 2019 13:13:15 -0800 Luke Barone via samba <samba at lists.samba.org> wrote:> Hi list, > > I'm trying to work on a script that should not care what DC is up, as > long as one is. I want to be able to use the samba-tool command in > our Samba-AD domain from a domain member, using kerberos. > > I have the kinit command granting me a ticket. I want to use that > ticket to remotely add users to the domain controller, while I'm on > the domain member's console. For example: > > root at fileserver.example.com:~# kinit administrator > Password for administrator at EXAMPLE.COM: > root at fileserver.example.com:~# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: administrator at EXAMPLE.COM > > Valid starting Expires Service principal > 08/01/19 13:03:00 08/01/19 23:03:00 krbtgt/EXAMPLE.COM at EXAMPLE.COM > renew until 09/01/19 13:02:59 > > root at fileserver.example.com:~# samba-tool user list --kerberos=yes > ERROR(ldb): uncaught exception - ldb_search: invalid basedn '(null)' > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 176, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/user.py", line > 445, in run > attrs=["samaccountname"]) > > > The commands run fine from the domain controller, but we want to run > the commands from a member server. Is this possible, either using > usernames/passwords or kerberos? We are on Debian 9.6, running Samba > 4.5.12-Debian (Yes, I know it's EOL for Samba, but it's the latest in > the repo).You don't actually need kerberos to list users from a Unix domain member, you need to run the command as root and add '-H ldap://DC_SHORT_HOSTNAME' Rowland
I should have been more specific. I'm trying to add users; I figured listing the users was a good test. I'm sure it's expected, but I'm now seeing the following: # samba-tool user create test.user -H ldap://dc1 New Password: Retype Password: ERROR(ldb): Failed to add user 'test.user': - LDAP error 1 LDAP_OPERATIONS_ERROR - <00002020: Operation unavailable without authentication> <> I tried using the -U and -P switch (as a test), and it claimed that the Administrator was "unable to get access to CN=....". I used the "--kerberos yes" switch with the -H ldap://dc1, and that works! On Tue, Jan 8, 2019 at 2:03 PM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Tue, 8 Jan 2019 13:13:15 -0800 > Luke Barone via samba <samba at lists.samba.org> wrote: > > > Hi list, > > > > I'm trying to work on a script that should not care what DC is up, as > > long as one is. I want to be able to use the samba-tool command in > > our Samba-AD domain from a domain member, using kerberos. > > > > I have the kinit command granting me a ticket. I want to use that > > ticket to remotely add users to the domain controller, while I'm on > > the domain member's console. For example: > > > > root at fileserver.example.com:~# kinit administrator > > Password for administrator at EXAMPLE.COM: > > root at fileserver.example.com:~# klist > > Ticket cache: FILE:/tmp/krb5cc_0 > > Default principal: administrator at EXAMPLE.COM > > > > Valid starting Expires Service principal > > 08/01/19 13:03:00 08/01/19 23:03:00 krbtgt/EXAMPLE.COM at EXAMPLE.COM > > renew until 09/01/19 13:02:59 > > > > root at fileserver.example.com:~# samba-tool user list --kerberos=yes > > ERROR(ldb): uncaught exception - ldb_search: invalid basedn '(null)' > > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > > line 176, in _run > > return self.run(*args, **kwargs) > > File "/usr/lib/python2.7/dist-packages/samba/netcmd/user.py", line > > 445, in run > > attrs=["samaccountname"]) > > > > > > The commands run fine from the domain controller, but we want to run > > the commands from a member server. Is this possible, either using > > usernames/passwords or kerberos? We are on Debian 9.6, running Samba > > 4.5.12-Debian (Yes, I know it's EOL for Samba, but it's the latest in > > the repo). > > You don't actually need kerberos to list users from a Unix domain > member, you need to run the command as root and add '-H > ldap://DC_SHORT_HOSTNAME' > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Mandi! Luke Barone via samba In chel di` si favelave...> I'm trying to work on a script that should not care what DC is up, as long > as one is.I've done something like that. But i'm using '-H <uri> -P' and works as expected... -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
On Wed, 9 Jan 2019 09:34:07 +0100 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> Mandi! Luke Barone via samba > In chel di` si favelave... > > > I'm trying to work on a script that should not care what DC is up, > > as long as one is. > > I've done something like that. But i'm using '-H <uri> -P' and works > as expected... >Yes, but only for searches, once you want to add or modify something, you have to authenticate as a user. Rowland