Franta Hanzlík
2022-Aug-25 19:11 UTC
[Samba] samba-tool and -A option (credentials in file)
Hello all,
I just build Samba-4.16.4 on Fedora 36 x86_64, as own build with
internal Heimdal krb5 (I hope for better stability than with Fedora's
MIT krb5).
Samba seems working, as well as new AD DC provisioning. Now I want
using samba-tool in batch shell script for setting DC DB, and I would
like to use admin authentication using a name and password stored in
a file - and this is where I came across.
The only note that it should work somehow is samba-tool man page, where
in '-U|--user' option paragraph is:
...
A third option is to use a credentials file which contains the plaintext
of the username and password. This option is mainly provided for scripts
where the admin does not wish to pass the credentials on the command line
or via environment variables. If this method is used, make certain that
the permissions on the file restrict access from unwanted users.
See the -A for more details.
...
Nothing else in man page, nor did I find anything on the Internet about
it. And all attempts as:
# samba-tool dns zonecreate localhost 1.168.192.in-addr.arpa -N -A ~/sambaAdmin
Usage: samba-tool dns zonecreate <server> <zone> [options]
samba-tool dns zonecreate: error: no such option: -A
# samba-tool dns zonecreate localhost 1.168.192.in-addr.arpa -N -U ~/sambaAdmin
cli_credentials_failed_kerberos_login: krb5_cc_get_principal failed: No such
file or directory
Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for
ncacn_ip_tcp:127.0.0.1[49153,sign,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=127.0.0.1]
NT_STATUS_LOGON_FAILURE
ERROR: Connecting to DNS RPC server 127.0.0.1 failed with (3221225581, 'The
attempted logon is invalid. This is either due to a bad username or
authentication information.')
etc. was unsuccessful, and according to:
1)
# samba-tool --help
Usage: samba-tool <subcommand>
Main samba administration tool.
Options:
-h, --help show this help message and exit
Version Options:
-V, --version Display version number
Available subcommands:
computer - Computer management.
contact - Contact management.
dbcheck - Check local AD database for errors.
delegation - Delegation management.
dns - Domain Name Service (DNS) management.
domain - Domain management.
drs - Directory Replication Services (DRS) management.
dsacl - DS ACLs manipulation.
forest - Forest management.
fsmo - Flexible Single Master Operations (FSMO) roles management.
gpo - Group Policy Object (GPO) management.
group - Group management.
ldapcmp - Compare two ldap databases.
ntacl - NT ACLs manipulation.
ou - Organizational Units (OU) management.
processes - List processes (to aid debugging on systems without
setproctitle).
rodc - Read-Only Domain Controller (RODC) management.
schema - Schema querying and management.
sites - Sites management.
spn - Service Principal Name (SPN) management.
testparm - Syntax check the configuration file.
time - Retrieve the time on a server.
user - User management.
visualize - Produces graphical representations of Samba network state.
For more help on a specific subcommand, please type: samba-tool
<subcommand> (-h|--help)
or
2)
# samba-tool dns zonecreate --help
Usage: samba-tool dns zonecreate <server> <zone> [options]
Create a zone.
Options:
-h, --help show this help message and exit
--client-version=w2k|dotnet|longhorn
Client Version
Credentials Options:
--simple-bind-dn=DN
DN to use for a simple bind
--password=PASSWORD
Password
-U USERNAME, --username=USERNAME
Username
-W WORKGROUP, --workgroup=WORKGROUP
Workgroup
-N, --no-pass Don't ask for a password
--ipaddress=IPADDRESS
IP address of server
-P, --machine-pass Use stored machine account password
--use-kerberos=desired|required|off
Use Kerberos authentication
--use-krb5-ccache=KRB5CCNAME
Kerberos Credentials cache
-k KERBEROS, --kerberos=KERBEROS
DEPRECATED: Migrate to --use-kerberos
Samba Common Options:
-s FILE, --configfile=FILE
Configuration file
-d DEBUGLEVEL, --debuglevel=DEBUGLEVEL
debug level
--option=OPTION set smb.conf option from command line
--realm=REALM set the realm name
Version Options:
-V, --version Display version number
there -A option nor credentials file isn't mentioned.
Where am I making mistake?
How should I use the credentials file?
PS: I was trying build Samba as set of RPM packages, inspires
with Fedora samba.spec file with some modifications, and talloc,
tevent, tdb and ldb are external - not sure, when there may be
problem.
---
Thanks, Franta Hanzl?k
Rowland Penny
2022-Aug-25 19:53 UTC
[Samba] samba-tool and -A option (credentials in file)
On Thu, 2022-08-25 at 21:11 +0200, Franta Hanzl?k via samba wrote:> Hello all, > > I just build Samba-4.16.4 on Fedora 36 x86_64, as own build with > internal Heimdal krb5 (I hope for better stability than with Fedora's > MIT krb5). > Samba seems working, as well as new AD DC provisioning. Now I want > using samba-tool in batch shell script for setting DC DB, and I would > like to use admin authentication using a name and password stored in > a file - and this is where I came across. > > The only note that it should work somehow is samba-tool man page, > where > in '-U|--user' option paragraph is: > ... > A third option is to use a credentials file which contains the > plaintext > of the username and password. This option is mainly provided for > scripts > where the admin does not wish to pass the credentials on the command > line > or via environment variables. If this method is used, make certain > that > the permissions on the file restrict access from unwanted users. > See the -A for more details.I think you have found a bug. I have never really read the samba-tool manpage, the information you get from '--help' is usually sufficient. I have never come across '-A' and samba-tool, this is probably because you do not require it, you can just run kinit and then use kerberos. Also when a user logs in, they get a kerberos ticket and you can also use the computers ticket for searches etc. To put it another way, there is no '-A' option and you do not use a credentials file. Rowland