[Samba] GPO backup/restore questions

Andrew Bartlett abartlet at samba.org
Thu Sep 7 20:45:24 UTC 2023 

On Thu, 2023-09-07 at 10:03 +0500, Anton Shevtsov via samba wrote:
> Q2) I don't understand why Kerberos ticket is not used.
> 
> 
> 
> I specified --use-kerberos=required
> 

Thanks for mentioning this.  I don't know why this is happening
exactly.  The samba-tool gpo command is a bit of a snowflake in the
'samba-tool' suite as it uses the libsmb library from the 'fileserver'
or 'source3' area of the codebase, as that is much more mature.

Sadly there is sometimes an "impedence mismatch" or 'the stiching is
still visible' or 'a mismatch in expectations' between some parts of
our codebase that were developed apart for a time, and I think this may
be showing here.

You could spend some time in a debugger, getting a backtrace when it
asks for the password and working out if the Kerberos require flag has
been lost somehow.  We have got a lot better about not decomposing and
re-composing our 'cli_credentials' structure, eg 
https://gitlab.com/samba-team/samba/-/merge_requests/3260 just today,
and perhaps this is happening. 

I would say that, below, you seem to have tried all the command-line
combinations I would try.

Andrew Bartlett

> 
> [
> user at dc.aaa.bbb
>  ~]$  kinit administrator
> 
> Password for 
> administrator at AAA.BBB
> :
> 
> Warning: Your password will expire in 27 days on Чт 05 окт 2023
> 09:44:26
> 
> [
> user at dc.aaa.bbb
>  ~]$ klist
> 
> Ticket cache: FILE:/tmp/krb5cc_500
> 
> Default principal: 
> administrator at AAA.BBB
> 
> 
> 
> 
> Valid starting       Expires              Service principal
> 
> 07.09.2023 09:53:08  07.09.2023 19:53:08 krbtgt/
> AAA.BBB at AAA.BBB
> 
> 
>         renew until 08.09.2023 09:53:05
> 
> 
> 
> [
> user at dc.aaa.bbb
>  ~]$  samba-tool gpo restore StartUp-Script 
> 
> /tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/ 
> 
> --use-kerberos=required
> 
> Using temporary directory /tmp/.private/user/tmpstcd1nbi (use --
> tmpdir 
> 
> to change)
> 
> Password for [
> administrator at AAA.BBB
> ]: WHY_IS_THE_PASSWORD_REQUESTED?
> 
> 
> 
> [
> user at dc.aaa.bbb
>  ~]$  samba-tool gpo restore StartUp-Script 
> 
> /tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/ 
> 
> --use-kerberos=required --use-krb5-ccache=/tmp/krb5cc_500
> 
> Using temporary directory /tmp/.private/user/tmptj4bgfkf (use --
> tmpdir 
> 
> to change)
> 
> Password for [
> administrator at AAA.BBB
> ]: WHY_IS_THE_PASSWORD_REQUESTED?
> 
> 
> 
> [
> user at dc.aaa.bbb
>  ~]$  samba-tool gpo restore StartUp-Script 
> 
> /tmp/gpo/computer/policy/\{C9EB17FD-7DAA-4EB9-8BED-71EF89A83B1D\}/ 
> 
> --use-kerberos=required --use-krb5-ccache=FILE:/tmp/krb5cc_500
> 
> Using temporary directory /tmp/.private/user/tmp271bduk7 (use --
> tmpdir 
> 
> to change)
> 
> Password for [
> administrator at AAA.BBB
> ]: WHY_IS_THE_PASSWORD_REQUESTED?
> 
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions

More information about the samba mailing list