On Thu, 2023-09-07 at 10:03 +0500, Anton Shevtsov via samba wrote:> Q2) I don't understand why Kerberos ticket is not used. > > > > I specified --use-kerberos=required >Thanks for mentioning this. I don't know why this is happening exactly. The samba-tool gpo command is a bit of a snowflake in the 'samba-tool' suite as it uses the libsmb library from the 'fileserver' or 'source3' area of the codebase, as that is much more mature. Sadly there is sometimes an "impedence mismatch" or 'the stiching is still visible' or 'a mismatch in expectations' between some parts of our codebase that were developed apart for a time, and I think this may be showing here. You could spend some time in a debugger, getting a backtrace when it asks for the password and working out if the Kerberos require flag has been lost somehow. We have got a lot better about not decomposing and re-composing our 'cli_credentials' structure, eg https://gitlab.com/samba-team/samba/-/merge_requests/3260 just today, and perhaps this is happening. I would say that, below, you seem to have tried all the command-line combinations I would try. Andrew Bartlett> > [ > user at dc.aaa.bbb > ~]$ kinit administrator > > Password for > administrator at AAA.BBB > : > > Warning: Your password will expire in 27 days on ?? 05 ??? 2023 > 09:44:26 > > [ > user at dc.aaa.bbb > ~]$ klist > > Ticket cache: FILE:/tmp/krb5cc_500 > > Default principal: > administrator at AAA.BBB > > > > > Valid starting Expires Service principal > > 07.09.2023 09:53:08 07.09.2023 19:53:08 krbtgt/ > AAA.BBB at AAA.BBB > > > renew until 08.09.2023 09:53:05 > > > > [ > user at dc.aaa.bbb > ~]$ samba-tool gpo restore StartUp-Script > > /tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/ > > --use-kerberos=required > > Using temporary directory /tmp/.private/user/tmpstcd1nbi (use -- > tmpdir > > to change) > > Password for [ > administrator at AAA.BBB > ]: WHY_IS_THE_PASSWORD_REQUESTED? > > > > [ > user at dc.aaa.bbb > ~]$ samba-tool gpo restore StartUp-Script > > /tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/ > > --use-kerberos=required --use-krb5-ccache=/tmp/krb5cc_500 > > Using temporary directory /tmp/.private/user/tmptj4bgfkf (use -- > tmpdir > > to change) > > Password for [ > administrator at AAA.BBB > ]: WHY_IS_THE_PASSWORD_REQUESTED? > > > > [ > user at dc.aaa.bbb > ~]$ samba-tool gpo restore StartUp-Script > > /tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/ > > --use-kerberos=required --use-krb5-ccache=FILE:/tmp/krb5cc_500 > > Using temporary directory /tmp/.private/user/tmp271bduk7 (use -- > tmpdir > > to change) > > Password for [ > administrator at AAA.BBB > ]: WHY_IS_THE_PASSWORD_REQUESTED? >-- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead https://catalyst.net.nz/services/samba Catalyst.Net Ltd Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company Samba Development and Support: https://catalyst.net.nz/services/samba Catalyst IT - Expert Open Source Solutions
On Fri, 08 Sep 2023 08:45:24 +1200 Andrew Bartlett via samba <samba at lists.samba.org> wrote:> On Thu, 2023-09-07 at 10:03 +0500, Anton Shevtsov via samba wrote: > > Q2) I don't understand why Kerberos ticket is not used. > > > > > > > > I specified --use-kerberos=required > > > > Thanks for mentioning this. I don't know why this is happening > exactly. The samba-tool gpo command is a bit of a snowflake in the > 'samba-tool' suite as it uses the libsmb library from the 'fileserver' > or 'source3' area of the codebase, as that is much more mature. > > Sadly there is sometimes an "impedence mismatch" or 'the stiching is > still visible' or 'a mismatch in expectations' between some parts of > our codebase that were developed apart for a time, and I think this > may be showing here. > > You could spend some time in a debugger, getting a backtrace when it > asks for the password and working out if the Kerberos require flag has > been lost somehow. We have got a lot better about not decomposing and > re-composing our 'cli_credentials' structure, eg > https://gitlab.com/samba-team/samba/-/merge_requests/3260 just today, > and perhaps this is happening. > > I would say that, below, you seem to have tried all the command-line > combinations I would try. > > Andrew Bartlett > > > > > [ > > user at dc.aaa.bbb > > ~]$ kinit administrator > > > > Password for > > administrator at AAA.BBB > > : > > > > Warning: Your password will expire in 27 days on ?? 05 ??? 2023 > > 09:44:26 > > > > [ > > user at dc.aaa.bbb > > ~]$ klist > > > > Ticket cache: FILE:/tmp/krb5cc_500Just a question, why does Administrator have a ticket with the ID '500', I would expect /tmp/krb5cc_0 Rowland