Saving password feature for net rpc console utils.
andrux0id
adriano32.gnu at gmail.com
Wed Feb 1 16:13:33 MST 2012
Volker Lendecke wrote:
> winbind should have that capability. Start winbind, then
> wbinfo --ccache-save will save the password. If you then
> give -C to your net command and you should be fine.
>
> With best regards,
>
> Volker Lendecke
>
Thanks a lot to Volker, Kai and ABartlet, who pointed me to solution at irc.
Putting solution here for it will be easier to find answer for question
i asked in this thread by other people.
For AD and Samba4 you can and you probably should use kerberos tickets
after setting up your /etc/krb.conf with proper defaults and realms,
then run
kinit administrator at SAMDOM.EXAMPLE.COM
This should create a ticket, for me it was /tmp/krb5cc_0. Check it with
klist -e
There should be something like
Ticket cache: FILE:/tmp/krb5cc_0
...
02/01/12 20:49:18 02/02/12 06:49:18 krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
After that
export KRB5CCNAME=/tmp/krb5cc_0
should be executed to create environment variable $KRB5CCNAME, pointing
to the cached ticket for it can be read by other utils.
After that most of samba utils can be called with a special option `-k
yes', `-k' or `--kerberos' and use cached ticket. See man page for that
utility or `utility --help' or net help exactly for net utility. For example
smbclient -k yes -L server.samdom.example.com.
Your DNS should work properly for it, IP addresses wont work.
Another example:
net rpc shutdown -S client1 -k
For this example work, your /etc/resolv.conf should contain proper
`domain' section and probably `search' section too, like
domain samdom.example.com
search samdom.example.com
Read `man resolv.conf' for more info.
But kerberos tickets will work only for AD server and pc's that are the
members of a AD, thus can allow AD users to do smth with them remotely
authentificating with a kerberos ticket.
For pc's that arent AD members you can use following solution, that
Volker adviced in previous message and another list thread, that i
couldn't find before his advice:
http://lists.samba.org/archive/samba/2011-June/162950.html
It's `wbinfo --ccache-save=user%password' command or `wbinfo
--ccache-save=user --' command for those who dont like to pass password
as command line parameter for security reasons.
It does not work with winbind builtin in Samba4, you can find in
./source4/winbind/wb_samba3_protocol.c of samba-master branch following:
case WINBINDD_CCACHE_SAVE:
DEBUG(10, ("Unimplemented winbind samba3 request %d\n",
s3call->request->cmd));
So `saving creds failed' returning by `wbinfo --ccache-save=user --'
from Samba4 package shouldnt mislead you, that you are entering
something wrong. It is simply missing feature currently.
But wbinfo should work for separate winbind from Samba3.
For cached password using, use `net --use-ccache' or `net -C' option for
net command. If it doesnt work, either your version too old (<3.5), or
feature is temporary disabled.
Hope it will be useful for beginners like me.
More information about the samba-technical
mailing list