[Samba] samba-tool and -A option (credentials in file)

Rowland Penny rpenny at samba.org
Fri Aug 26 08:33:05 UTC 2022 

On Fri, 2022-08-26 at 04:32 +0200, Franta Hanzlík via samba wrote:
> On Thu, 25 Aug 2022 20:53:08 +0100
> Rowland Penny via samba <samba at lists.samba.org> wrote:
> 
> > On Thu, 2022-08-25 at 21:11 +0200, Franta Hanzlík via samba wrote:
> > > Hello all,
> > > 
> > > I just build Samba-4.16.4 on Fedora 36 x86_64, as own build with
> > > internal Heimdal krb5 (I hope for better stability than with
> > > Fedora's
> > > MIT krb5).
> > > Samba seems working, as well as new AD DC provisioning. Now I
> > > want
> > > using samba-tool in batch shell script for setting DC DB, and I
> > > would
> > > like to use admin authentication using a name and password stored
> > > in
> > > a file - and this is where I came across.
> > > 
> > > The only note that it should work somehow is samba-tool man page,
> > > where
> > > in '-U|--user' option paragraph is:
> > > ...
> > > A third option is to use a credentials file which contains the
> > > plaintext
> > > of the username and password. This option is mainly provided for
> > > scripts
> > > where the admin does not wish to pass the credentials on the
> > > command
> > > line
> > > or via environment variables. If this method is used, make
> > > certain
> > > that
> > > the permissions on the file restrict access from unwanted users.
> > > See the -A for more details.  
> > 
> > I think you have found a bug. I have never really read the samba-
> > tool
> > manpage, the information you get from '--help' is usually
> > sufficient. I
> > have never come across '-A' and samba-tool, this is probably
> > because
> > you do not require it, you can just run kinit and then use
> > kerberos.
> > Also when a user logs in, they get a kerberos ticket and you can
> > also
> > use the computers ticket for searches etc.
> > 
> > To put it another way, there is no '-A' option and you do not use a
> > credentials file.
> > 
> > Rowland
> > -- 
> 
> Hi Rowland and Luke,
> thanks for Your help. As I knew, that -A option in Samba-related
> tools
> (samba-client, ldb-tools) already exist, I was convinced I was doing
> something wrong...

As far as I can see, it is only an option for smbclient and it is a
bug. The option '-A' is in a file that is picked up by the samba-tool
manpage and it shouldn't be. The '-A' option has never been a samba-
tool option.

> 
> But, Rowland - using kinit supposes interactive session and manualy
> entered password, right? I think this isn't solving my problem for
> non-interactive bash shell script. Or I'm missing something?

Try reading the script you will find here:

https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records

That is interactive and it doesn't use a stored password. I think you
need to read up on kerberos.

> 
> For now I have used --password ( -U USERNAME%PASSWORD should be
> same),

Not really, using kerberos the password never leaves the computer, your
way it is sent over the wire.

> but I'd like the data in the file better ;)

And I will always prefer kerberos :-)

Rowland

More information about the samba mailing list