samba - Jun 2024 - Looking for Python docs/examples to modify DNS via keytab

> On Jun 30, 2024, at 12:11?AM, Rowland Penny via samba <samba at
lists.samba.org> wrote:
> 
> On Sat, 29 Jun 2024 22:10:12 -0700
> christian baltini <christian.baltini at gmail.com> wrote:
> 
>> Hello Rowland, I see that and an trying to recreate the script logic
>> line-by line in the terminal as a proof of understanding, but I am
>> having some trouble.
>> 
>> Here is what I am trying:
>> 
>> ?kinit administrator? - I then provide username and password,
> 
> You should just get prompted for the Administrator password, are you
> doing this as root or with sudo ?
Sorry, you are correct, it is just a password prompt
> 
>> and get
>> /tmp/krb5cc_0
> 
> That suggests it is being created by 'root', but what is in the
ticket
> ? Have you run 'klist -c /tmp/krb5cc_0' ?
This is the output of the above:

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at SAMBA1.MYDOMAIN.COM

Valid starting       Expires              Service principal
06/30/2024 00:16:09  06/30/2024 10:16:09  krbtgt/SAMBA1.MYDOMAIN.COM at
SAMBA1.MYDOMAIN.COM
        renew until 07/01/2024 00:16:01
> 
>> ? I understand this is equivalent what the script is
>> generating with the exported keytab file, is this correct?
> 
> Very similar, just a different user.
> 
>> 
>> I then try this just as a test command:
>> 
>> "samba-tool dns zonelist localhost
--use-krb5-ccache=/tmp/krbcc_0?.
>> (I get the same result with my server?s FQDN instead of ?localhost?)
> 
> If you cut & pasted that command, there is a typo, it is
'/tmp/krb5cc_0'
> 
Sorry, that was a typo in my email, that is what I am typing
>> 
>> I have also tried setting the environment variable in the script like
>> so ?EXPORT KRB5CCNAME=/tmp/krb5cc_0"
> 
> But then, you seem to have got it right there.
> 
>> 
>> Do you have any advice on what might not be working?
> 
> Your command works for myself.
This is the output I get:

(venv) root at ubu1:~/py_krb# samba-tool dns zonelist localhost
--use-krb5-ccache=/tmp/krb5cc_0
Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for
ncacn_ip_tcp:127.0.0.1[49153,sign,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=127.0.0.1]
NT_STATUS_INVALID_PARAMETER
ERROR: Connecting to DNS RPC server 127.0.0.1 failed with (3221225485, 'An
invalid parameter was passed to a service or function.')

Am I wrong in thinking this is necessarily some type of kerberos auth issue?
> 
>> 
>> I have confirmed everything working without the ?use-krb5-ccache and
>> supplying username and password does work
>> 
>> As for your question, I have not gotten that far yet : )
> 
> I would really think about this, there is no point in porting the
> script unless you have something to trigger it. As far as I can see,
> there are two options, use kea, but that is, in my opinion, like using
> the worlds largest hydraulic press to crack a nut, or use dnsmasq just
> as a dhcp server.
> 
> Rowland
> 
I see a few a number of uses for a script like this in Python, not just DHCP. 
If anything I would like to figure it out to learn something.

Thank you very much for your responses!

Christian
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On Sun, 30 Jun 2024 00:22:57 -0700
christian baltini <christian.baltini at gmail.com>
wrote:
> 
> This is the output I get:
> 
> (venv) root at ubu1:~/py_krb# samba-tool dns zonelist localhost
> --use-krb5-ccache=/tmp/krb5cc_0 Failed to bind to uuid
> 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for
>
ncacn_ip_tcp:127.0.0.1[49153,sign,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=127.0.0.1]
> NT_STATUS_INVALID_PARAMETER ERROR: Connecting to DNS RPC server
> 127.0.0.1 failed with (3221225485, 'An invalid parameter was passed
> to a service or function.')
> 
> Am I wrong in thinking this is necessarily some type of kerberos auth
> issue?
> 
Well, yes and no ;-)

Kerberos only works using names not ipaddresses, 'localhost' becomes
'127.0.0.1' and there is your 'NT_STATUS_INVALID_PARAMETER'. Try
it
with the DCs short hostname.

Rowland

PS, please just reply to the list, do not 'CC' me.