Saving password feature for net rpc console utils.

Wed Feb 1 16:13:33 MST 2012

Volker Lendecke wrote:
> winbind should have that capability. Start winbind, then
> wbinfo --ccache-save will save the password. If you then
> give -C to your net command and you should be fine.
>
> With best regards,
>
> Volker Lendecke
>   
Thanks a lot to Volker, Kai and ABartlet, who pointed me to solution at irc.

Putting solution here for it will be easier to find answer for question 
i asked in this thread by other people.

For AD and Samba4 you can and you probably should use kerberos tickets 
after setting up your /etc/krb.conf with proper defaults and realms, 
then run

kinit administrator at SAMDOM.EXAMPLE.COM

This should create a ticket, for me it was /tmp/krb5cc_0. Check it with

klist -e

There should be something like

Ticket cache: FILE:/tmp/krb5cc_0
...
 02/01/12 20:49:18  02/02/12 06:49:18  krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
       Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5

After that

export KRB5CCNAME=/tmp/krb5cc_0

should be executed to create environment variable $KRB5CCNAME, pointing 
to the cached ticket for it can be read by other utils.

After that most of samba utils can be called with a special option `-k 
yes', `-k' or `--kerberos' and use cached ticket. See man page for that 
utility or `utility --help' or net help exactly for net utility. For example

smbclient -k yes -L server.samdom.example.com.

Your DNS should work properly for it, IP addresses wont work.

Another example:

net rpc shutdown -S client1 -k

For this example work, your /etc/resolv.conf should contain proper 
`domain' section and probably `search' section too, like

domain samdom.example.com
search samdom.example.com

Read `man resolv.conf' for more info.

But kerberos tickets will work only for AD server and pc's that are the 
members of a AD, thus can allow AD users to do smth with them remotely 
authentificating with a kerberos ticket.

For pc's that arent AD members you can use following solution, that 
Volker adviced in previous message and another list thread, that i 
couldn't find before his advice: 
http://lists.samba.org/archive/samba/2011-June/162950.html

It's `wbinfo --ccache-save=user%password' command or `wbinfo 
--ccache-save=user --' command for those who dont like to pass password 
as command line parameter for security reasons.
It does not work with winbind builtin in Samba4, you can find in 
./source4/winbind/wb_samba3_protocol.c of samba-master branch following:

        case WINBINDD_CCACHE_SAVE:
                DEBUG(10, ("Unimplemented winbind samba3 request %d\n",
                           s3call->request->cmd));

So `saving creds failed' returning by `wbinfo --ccache-save=user --' 
from Samba4 package shouldnt mislead you, that you are entering 
something wrong. It is simply missing feature currently.

But wbinfo should work for separate winbind from Samba3.
For cached password using, use `net --use-ccache' or `net -C' option for 
net command. If it doesnt work, either your version too old (<3.5), or 
feature is temporary disabled.

Hope it will be useful for beginners like me.