[Samba] GPO backup/restore questions
Rowland Penny
rpenny at samba.org
Thu Sep 7 21:01:28 UTC 2023
On Fri, 08 Sep 2023 08:45:24 +1200
Andrew Bartlett via samba <samba at lists.samba.org> wrote:
> On Thu, 2023-09-07 at 10:03 +0500, Anton Shevtsov via samba wrote:
> > Q2) I don't understand why Kerberos ticket is not used.
> >
> >
> >
> > I specified --use-kerberos=required
> >
>
> Thanks for mentioning this. I don't know why this is happening
> exactly. The samba-tool gpo command is a bit of a snowflake in the
> 'samba-tool' suite as it uses the libsmb library from the 'fileserver'
> or 'source3' area of the codebase, as that is much more mature.
>
> Sadly there is sometimes an "impedence mismatch" or 'the stiching is
> still visible' or 'a mismatch in expectations' between some parts of
> our codebase that were developed apart for a time, and I think this
> may be showing here.
>
> You could spend some time in a debugger, getting a backtrace when it
> asks for the password and working out if the Kerberos require flag has
> been lost somehow. We have got a lot better about not decomposing and
> re-composing our 'cli_credentials' structure, eg
> https://gitlab.com/samba-team/samba/-/merge_requests/3260 just today,
> and perhaps this is happening.
>
> I would say that, below, you seem to have tried all the command-line
> combinations I would try.
>
> Andrew Bartlett
>
> >
> > [
> > user at dc.aaa.bbb
> > ~]$ kinit administrator
> >
> > Password for
> > administrator at AAA.BBB
> > :
> >
> > Warning: Your password will expire in 27 days on Чт 05 окт 2023
> > 09:44:26
> >
> > [
> > user at dc.aaa.bbb
> > ~]$ klist
> >
> > Ticket cache: FILE:/tmp/krb5cc_500
Just a question, why does Administrator have a ticket with the ID
'500', I would expect /tmp/krb5cc_0
Rowland
More information about the samba
mailing list