Rowland Penny
2022-Aug-25 19:53 UTC
[Samba] samba-tool and -A option (credentials in file)
On Thu, 2022-08-25 at 21:11 +0200, Franta Hanzl?k via samba wrote:> Hello all, > > I just build Samba-4.16.4 on Fedora 36 x86_64, as own build with > internal Heimdal krb5 (I hope for better stability than with Fedora's > MIT krb5). > Samba seems working, as well as new AD DC provisioning. Now I want > using samba-tool in batch shell script for setting DC DB, and I would > like to use admin authentication using a name and password stored in > a file - and this is where I came across. > > The only note that it should work somehow is samba-tool man page, > where > in '-U|--user' option paragraph is: > ... > A third option is to use a credentials file which contains the > plaintext > of the username and password. This option is mainly provided for > scripts > where the admin does not wish to pass the credentials on the command > line > or via environment variables. If this method is used, make certain > that > the permissions on the file restrict access from unwanted users. > See the -A for more details.I think you have found a bug. I have never really read the samba-tool manpage, the information you get from '--help' is usually sufficient. I have never come across '-A' and samba-tool, this is probably because you do not require it, you can just run kinit and then use kerberos. Also when a user logs in, they get a kerberos ticket and you can also use the computers ticket for searches etc. To put it another way, there is no '-A' option and you do not use a credentials file. Rowland
I've seen the -A option for smbclient; here is the manpage that may help:
-A|--authentication-file=filename
This option allows you to specify a file from which to read the
username and password used in the connection. The format of the file is
username = <value>
password = <value>
domain = <value>
Make certain that the permissions on the file restrict access
from unwanted users.
On Thu, Aug 25, 2022 at 12:53 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Thu, 2022-08-25 at 21:11 +0200, Franta Hanzl?k via samba wrote:
> > Hello all,
> >
> > I just build Samba-4.16.4 on Fedora 36 x86_64, as own build with
> > internal Heimdal krb5 (I hope for better stability than with
Fedora's
> > MIT krb5).
> > Samba seems working, as well as new AD DC provisioning. Now I want
> > using samba-tool in batch shell script for setting DC DB, and I would
> > like to use admin authentication using a name and password stored in
> > a file - and this is where I came across.
> >
> > The only note that it should work somehow is samba-tool man page,
> > where
> > in '-U|--user' option paragraph is:
> > ...
> > A third option is to use a credentials file which contains the
> > plaintext
> > of the username and password. This option is mainly provided for
> > scripts
> > where the admin does not wish to pass the credentials on the command
> > line
> > or via environment variables. If this method is used, make certain
> > that
> > the permissions on the file restrict access from unwanted users.
> > See the -A for more details.
>
> I think you have found a bug. I have never really read the samba-tool
> manpage, the information you get from '--help' is usually
sufficient. I
> have never come across '-A' and samba-tool, this is probably
because
> you do not require it, you can just run kinit and then use kerberos.
> Also when a user logs in, they get a kerberos ticket and you can also
> use the computers ticket for searches etc.
>
> To put it another way, there is no '-A' option and you do not use a
> credentials file.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
Franta Hanzlík
2022-Aug-26 02:32 UTC
[Samba] samba-tool and -A option (credentials in file)
On Thu, 25 Aug 2022 20:53:08 +0100 Rowland Penny via samba <samba at lists.samba.org> wrote:> On Thu, 2022-08-25 at 21:11 +0200, Franta Hanzl?k via samba wrote: > > Hello all, > > > > I just build Samba-4.16.4 on Fedora 36 x86_64, as own build with > > internal Heimdal krb5 (I hope for better stability than with Fedora's > > MIT krb5). > > Samba seems working, as well as new AD DC provisioning. Now I want > > using samba-tool in batch shell script for setting DC DB, and I would > > like to use admin authentication using a name and password stored in > > a file - and this is where I came across. > > > > The only note that it should work somehow is samba-tool man page, > > where > > in '-U|--user' option paragraph is: > > ... > > A third option is to use a credentials file which contains the > > plaintext > > of the username and password. This option is mainly provided for > > scripts > > where the admin does not wish to pass the credentials on the command > > line > > or via environment variables. If this method is used, make certain > > that > > the permissions on the file restrict access from unwanted users. > > See the -A for more details. > > I think you have found a bug. I have never really read the samba-tool > manpage, the information you get from '--help' is usually sufficient. I > have never come across '-A' and samba-tool, this is probably because > you do not require it, you can just run kinit and then use kerberos. > Also when a user logs in, they get a kerberos ticket and you can also > use the computers ticket for searches etc. > > To put it another way, there is no '-A' option and you do not use a > credentials file. > > Rowland > --Hi Rowland and Luke, thanks for Your help. As I knew, that -A option in Samba-related tools (samba-client, ldb-tools) already exist, I was convinced I was doing something wrong... But, Rowland - using kinit supposes interactive session and manualy entered password, right? I think this isn't solving my problem for non-interactive bash shell script. Or I'm missing something? For now I have used --password ( -U USERNAME%PASSWORD should be same), but I'd like the data in the file better ;) --- Thanks, Frant? Hanzlik