samba - Sep 2023 - GPO backup/restore questions

On Fri, 08 Sep 2023 08:45:24 +1200
Andrew Bartlett via samba <samba at lists.samba.org> wrote:
> On Thu, 2023-09-07 at 10:03 +0500, Anton Shevtsov via samba wrote:
> > Q2) I don't understand why Kerberos ticket is not used.
> > 
> > 
> > 
> > I specified --use-kerberos=required
> > 
> 
> Thanks for mentioning this.  I don't know why this is happening
> exactly.  The samba-tool gpo command is a bit of a snowflake in the
> 'samba-tool' suite as it uses the libsmb library from the
'fileserver'
> or 'source3' area of the codebase, as that is much more mature.
> 
> Sadly there is sometimes an "impedence mismatch" or 'the
stiching is
> still visible' or 'a mismatch in expectations' between some
parts of
> our codebase that were developed apart for a time, and I think this
> may be showing here.
> 
> You could spend some time in a debugger, getting a backtrace when it
> asks for the password and working out if the Kerberos require flag has
> been lost somehow.  We have got a lot better about not decomposing and
> re-composing our 'cli_credentials' structure, eg 
> https://gitlab.com/samba-team/samba/-/merge_requests/3260 just today,
> and perhaps this is happening. 
> 
> I would say that, below, you seem to have tried all the command-line
> combinations I would try.
> 
> Andrew Bartlett
> 
> > 
> > [
> > user at dc.aaa.bbb
> >  ~]$  kinit administrator
> > 
> > Password for 
> > administrator at AAA.BBB
> > :
> > 
> > Warning: Your password will expire in 27 days on ?? 05 ??? 2023
> > 09:44:26
> > 
> > [
> > user at dc.aaa.bbb
> >  ~]$ klist
> > 
> > Ticket cache: FILE:/tmp/krb5cc_500
Just a question, why does Administrator have a ticket with the ID
'500', I would expect /tmp/krb5cc_0

Rowland

On Thu, 2023-09-07 at 22:01 +0100, Rowland Penny via samba
wrote:
> On Fri, 08 Sep 2023 08:45:24 +1200
> Andrew Bartlett via samba <
> samba at lists.samba.org
> > wrote:
> 
> > On Thu, 2023-09-07 at 10:03 +0500, Anton Shevtsov via samba wrote:
> > > 
> > > 
> > >  ~]$  kinit administrator
> > > 
> > > Password for 
> > > administrator at AAA.BBB
> > > 
> > > :
> > > 
> > > Warning: Your password will expire in 27 days on ?? 05 ??? 2023
> > > 09:44:26
> > > 
> > > [
> > > user at dc.aaa.bbb
> > > 
> > >  ~]$ klist
> > > 
> > > Ticket cache: FILE:/tmp/krb5cc_500
> 
> Just a question, why does Administrator have a ticket with the ID
> '500', I would expect /tmp/krb5cc_0
That is just the local unix UID on the client, Anton is connecting as
user administrator, but is practising good security hygine and not
running the commands as root (using account user with local id 500) to make the
connection.  This is best practice as root is not required as these commands
don't use the local DB directly.

Andrew Bartlett
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions