Saving password feature for net rpc console utils.
adriano32.gnu at gmail.com
Wed Feb 1 16:13:33 MST 2012
Volker Lendecke wrote:
> winbind should have that capability. Start winbind, then
> wbinfo --ccache-save will save the password. If you then
> give -C to your net command and you should be fine.
> With best regards,
> Volker Lendecke
Thanks a lot to Volker, Kai and ABartlet, who pointed me to solution at irc.
Putting solution here for it will be easier to find answer for question
i asked in this thread by other people.
For AD and Samba4 you can and you probably should use kerberos tickets
after setting up your /etc/krb.conf with proper defaults and realms,
kinit administrator at SAMDOM.EXAMPLE.COM
This should create a ticket, for me it was /tmp/krb5cc_0. Check it with
There should be something like
Ticket cache: FILE:/tmp/krb5cc_0
02/01/12 20:49:18 02/02/12 06:49:18 krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
should be executed to create environment variable $KRB5CCNAME, pointing
to the cached ticket for it can be read by other utils.
After that most of samba utils can be called with a special option `-k
yes', `-k' or `--kerberos' and use cached ticket. See man page for that
utility or `utility --help' or net help exactly for net utility. For example
smbclient -k yes -L server.samdom.example.com.
Your DNS should work properly for it, IP addresses wont work.
net rpc shutdown -S client1 -k
For this example work, your /etc/resolv.conf should contain proper
`domain' section and probably `search' section too, like
Read `man resolv.conf' for more info.
But kerberos tickets will work only for AD server and pc's that are the
members of a AD, thus can allow AD users to do smth with them remotely
authentificating with a kerberos ticket.
For pc's that arent AD members you can use following solution, that
Volker adviced in previous message and another list thread, that i
couldn't find before his advice:
It's `wbinfo --ccache-save=user%password' command or `wbinfo
--ccache-save=user --' command for those who dont like to pass password
as command line parameter for security reasons.
It does not work with winbind builtin in Samba4, you can find in
./source4/winbind/wb_samba3_protocol.c of samba-master branch following:
DEBUG(10, ("Unimplemented winbind samba3 request %d\n",
So `saving creds failed' returning by `wbinfo --ccache-save=user --'
from Samba4 package shouldnt mislead you, that you are entering
something wrong. It is simply missing feature currently.
But wbinfo should work for separate winbind from Samba3.
For cached password using, use `net --use-ccache' or `net -C' option for
net command. If it doesnt work, either your version too old (<3.5), or
feature is temporary disabled.
Hope it will be useful for beginners like me.
More information about the samba-technical