[Samba] samba-tool and -A option (credentials in file)
Franta Hanzlík
franta at hanzlici.cz
Thu Aug 25 19:11:36 UTC 2022
Hello all,
I just build Samba-4.16.4 on Fedora 36 x86_64, as own build with
internal Heimdal krb5 (I hope for better stability than with Fedora's
MIT krb5).
Samba seems working, as well as new AD DC provisioning. Now I want
using samba-tool in batch shell script for setting DC DB, and I would
like to use admin authentication using a name and password stored in
a file - and this is where I came across.
The only note that it should work somehow is samba-tool man page, where
in '-U|--user' option paragraph is:
...
A third option is to use a credentials file which contains the plaintext
of the username and password. This option is mainly provided for scripts
where the admin does not wish to pass the credentials on the command line
or via environment variables. If this method is used, make certain that
the permissions on the file restrict access from unwanted users.
See the -A for more details.
...
Nothing else in man page, nor did I find anything on the Internet about
it. And all attempts as:
# samba-tool dns zonecreate localhost 1.168.192.in-addr.arpa -N -A ~/sambaAdmin
Usage: samba-tool dns zonecreate <server> <zone> [options]
samba-tool dns zonecreate: error: no such option: -A
# samba-tool dns zonecreate localhost 1.168.192.in-addr.arpa -N -U ~/sambaAdmin
cli_credentials_failed_kerberos_login: krb5_cc_get_principal failed: No such file or directory
Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for ncacn_ip_tcp:127.0.0.1[49153,sign,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=127.0.0.1] NT_STATUS_LOGON_FAILURE
ERROR: Connecting to DNS RPC server 127.0.0.1 failed with (3221225581, 'The attempted logon is invalid. This is either due to a bad username or authentication information.')
etc. was unsuccessful, and according to:
1)
# samba-tool --help
Usage: samba-tool <subcommand>
Main samba administration tool.
Options:
-h, --help show this help message and exit
Version Options:
-V, --version Display version number
Available subcommands:
computer - Computer management.
contact - Contact management.
dbcheck - Check local AD database for errors.
delegation - Delegation management.
dns - Domain Name Service (DNS) management.
domain - Domain management.
drs - Directory Replication Services (DRS) management.
dsacl - DS ACLs manipulation.
forest - Forest management.
fsmo - Flexible Single Master Operations (FSMO) roles management.
gpo - Group Policy Object (GPO) management.
group - Group management.
ldapcmp - Compare two ldap databases.
ntacl - NT ACLs manipulation.
ou - Organizational Units (OU) management.
processes - List processes (to aid debugging on systems without setproctitle).
rodc - Read-Only Domain Controller (RODC) management.
schema - Schema querying and management.
sites - Sites management.
spn - Service Principal Name (SPN) management.
testparm - Syntax check the configuration file.
time - Retrieve the time on a server.
user - User management.
visualize - Produces graphical representations of Samba network state.
For more help on a specific subcommand, please type: samba-tool <subcommand> (-h|--help)
or
2)
# samba-tool dns zonecreate --help
Usage: samba-tool dns zonecreate <server> <zone> [options]
Create a zone.
Options:
-h, --help show this help message and exit
--client-version=w2k|dotnet|longhorn
Client Version
Credentials Options:
--simple-bind-dn=DN
DN to use for a simple bind
--password=PASSWORD
Password
-U USERNAME, --username=USERNAME
Username
-W WORKGROUP, --workgroup=WORKGROUP
Workgroup
-N, --no-pass Don't ask for a password
--ipaddress=IPADDRESS
IP address of server
-P, --machine-pass Use stored machine account password
--use-kerberos=desired|required|off
Use Kerberos authentication
--use-krb5-ccache=KRB5CCNAME
Kerberos Credentials cache
-k KERBEROS, --kerberos=KERBEROS
DEPRECATED: Migrate to --use-kerberos
Samba Common Options:
-s FILE, --configfile=FILE
Configuration file
-d DEBUGLEVEL, --debuglevel=DEBUGLEVEL
debug level
--option=OPTION set smb.conf option from command line
--realm=REALM set the realm name
Version Options:
-V, --version Display version number
there -A option nor credentials file isn't mentioned.
Where am I making mistake?
How should I use the credentials file?
PS: I was trying build Samba as set of RPM packages, inspires
with Fedora samba.spec file with some modifications, and talloc,
tevent, tdb and ldb are external - not sure, when there may be
problem.
---
Thanks, Franta Hanzlík
More information about the samba
mailing list