Hi folks, I can use kerberos to create or delete user, eg: samba-tool user create test -k yes however, if I want to perform a backup it fails: samba-tool domain backup online --targetdir=/srv/backup --server=192.168.50.40 -k yes gensec_spnego_create_negTokenInit_step: Failed to setup SPNEGO negTokenInit request Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER Failed to connect to 'ldap://192.168.50.40' with backend 'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER ERROR(ldb): uncaught exception - LDAP client internal error: NT_STATUS_INVALID_PARAMETER File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain_backup.py", line 228, in run dns_backend='SAMBA_INTERNAL', targetdir=tmpdir) File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1509, in join_clone include_secrets=include_secrets) File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1584, in __init__ dns_backend=dns_backend) File "/usr/lib/python2.7/dist-packages/samba/join.py", line 98, in __init__ credentials=ctx.creds, lp=ctx.lp) File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line 64, in __init__ options=options) File "/usr/lib/python2.7/dist-packages/samba/__init__.py", line 115, in __init__ self.connect(url, flags, options) File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line 79, in connect options=options) What could be wrong? I use samba 4.9.3 on Debian (Van Belle repo) Thanks in advance! -- -- Sergio Belkin LPIC-2 Certified - http://www.lpi.org
El lun., 25 mar. 2019 a las 19:41, Sergio Belkin (<sebelk at gmail.com>) escribió:> Hi folks, > I can use kerberos to create or delete user, eg: > > samba-tool user create test -k yes > > however, if I want to perform a backup it fails: > > samba-tool domain backup online --targetdir=/srv/backup > --server=192.168.50.40 -k yes > gensec_spnego_create_negTokenInit_step: Failed to setup SPNEGO > negTokenInit request > Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER > Failed to connect to 'ldap://192.168.50.40' with backend 'ldap': LDAP > client internal error: NT_STATUS_INVALID_PARAMETER > ERROR(ldb): uncaught exception - LDAP client internal error: > NT_STATUS_INVALID_PARAMETER > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line > 177, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain_backup.py", > line 228, in run > dns_backend='SAMBA_INTERNAL', targetdir=tmpdir) > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1509, in > join_clone > include_secrets=include_secrets) > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1584, in > __init__ > dns_backend=dns_backend) > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 98, in > __init__ > credentials=ctx.creds, lp=ctx.lp) > File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line 64, in > __init__ > options=options) > File "/usr/lib/python2.7/dist-packages/samba/__init__.py", line 115, in > __init__ > self.connect(url, flags, options) > File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line 79, in > connect > options=options) > > What could be wrong? > > I use samba 4.9.3 on Debian (Van Belle repo) > > Thanks in advance! > > -- > -- > Sergio Belkin > LPIC-2 Certified - http://www.lpi.org >I've found that is an error using IP address with kerberos, that's wrong, anyway, if I use hostname it prompts me for the password: samba-tool domain backup online --targetdir=/srv/backup --serversamba4.example.com -k yes -d3 lpcfg_load: refreshing parameters from /etc/samba/smb.conf GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'http_negotiate' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered resolve_lmhosts: Attempting lmhosts lookup for name samba4.example.com<0x20> Password for [EXAMPLE\root]: Don't understand why it cannot resolv samba4.example.com, because it can outside of this command.... Please could you help me? -- -- Sergio Belkin LPIC-2 Certified - http://www.lpi.org
On Mon, 2019-03-25 at 20:33 -0300, Sergio Belkin via samba wrote:> El lun., 25 mar. 2019 a las 19:41, Sergio Belkin (<sebelk at gmail.com>) > escribió: > > > Hi folks, > > I can use kerberos to create or delete user, eg: > > > > samba-tool user create test -k yes > > > > however, if I want to perform a backup it fails: > > > > samba-tool domain backup online --targetdir=/srv/backup > > --server=192.168.50.40 -k yesYou can't do Kerberos to an IP address. Kerberos is names based. Sorry! Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba
On Mon, 25 Mar 2019 20:33:44 -0300 Sergio Belkin via samba <samba at lists.samba.org> wrote:> El lun., 25 mar. 2019 a las 19:41, Sergio Belkin (<sebelk at gmail.com>) > escribió: > > > Hi folks, > > I can use kerberos to create or delete user, eg: > > > > samba-tool user create test -k yes > > > > however, if I want to perform a backup it fails: > > > > samba-tool domain backup online --targetdir=/srv/backup > > --server=192.168.50.40 -k yes > > gensec_spnego_create_negTokenInit_step: Failed to setup SPNEGO > > negTokenInit request > > Failed to bind - LDAP client internal error: > > NT_STATUS_INVALID_PARAMETER Failed to connect to > > 'ldap://192.168.50.40' with backend 'ldap': LDAP client internal > > error: NT_STATUS_INVALID_PARAMETER ERROR(ldb): uncaught exception - > > LDAP client internal error: NT_STATUS_INVALID_PARAMETER > > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > > line 177, in _run > > return self.run(*args, **kwargs) > > File > > "/usr/lib/python2.7/dist-packages/samba/netcmd/domain_backup.py", > > line 228, in run dns_backend='SAMBA_INTERNAL', targetdir=tmpdir) > > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1509, > > in join_clone > > include_secrets=include_secrets) > > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1584, > > in __init__ > > dns_backend=dns_backend) > > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 98, in > > __init__ > > credentials=ctx.creds, lp=ctx.lp) > > File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line 64, > > in __init__ > > options=options) > > File "/usr/lib/python2.7/dist-packages/samba/__init__.py", line > > 115, in __init__ > > self.connect(url, flags, options) > > File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line 79, > > in connect > > options=options) > > > > What could be wrong? > > > > I use samba 4.9.3 on Debian (Van Belle repo) > > > > Thanks in advance! > > > > -- > > -- > > Sergio Belkin > > LPIC-2 Certified - http://www.lpi.org > > > > > I've found that is an error using IP address with kerberos, that's > wrong, anyway, if I use hostname it prompts me for the password: > > samba-tool domain backup online --targetdir=/srv/backup --server> samba4.example.com -k yes -d3 > lpcfg_load: refreshing parameters from /etc/samba/smb.conf > GENSEC backend 'gssapi_spnego' registered > GENSEC backend 'gssapi_krb5' registered > GENSEC backend 'gssapi_krb5_sasl' registered > GENSEC backend 'spnego' registered > GENSEC backend 'schannel' registered > GENSEC backend 'naclrpc_as_system' registered > GENSEC backend 'sasl-EXTERNAL' registered > GENSEC backend 'ntlmssp' registered > GENSEC backend 'ntlmssp_resume_ccache' registered > GENSEC backend 'http_basic' registered > GENSEC backend 'http_ntlm' registered > GENSEC backend 'http_negotiate' registered > GENSEC backend 'krb5' registered > GENSEC backend 'fake_gssapi_krb5' registered > resolve_lmhosts: Attempting lmhosts lookup for name > samba4.example.com<0x20> Password for [EXAMPLE\root]: > > Don't understand why it cannot resolv samba4.example.com, because it > can outside of this command.... > > Please could you help me? > >That isn't the problem ;-) The problem is that you are not giving a domain user, so it is falling back to the logged in user 'root' and this user cannot have a kerberos ticket. You need to 'kinit' as a domain user with the required rights, 'Administrator' for instance, then add '-U Administrator' to the command. Rowland