Failure in attemp to query trusted domains using net ads search/dn commands

Nimrod Sapir NIMRODS at il.ibm.com
Wed Jan 16 05:16:06 MST 2013 

Hello

I've been trying to use the net ads search/net ads dn commands to extract 
information from Active directory domains, and had only partial success. 
The idea here is to use the machine account created when net ads join is 
done to query the joined domain, other domains in the forest and other 
domains with trust relation to the main domain - without using any 
credentials. This should be possible (as Samba itself need to extract this 
information when users from those domains connect to the system). Using 
net ads search/dn -P works fine for querying the joined domain, but only 
gives info on the users/group of that domain.

I've tried two different approaches for accessing data of a different 
domain. One is using "net ads dn" to query the dn of a different domain 
directly. For example:

"net ads dn -P 
'CN=administrator,CN=Users,DC=domain2,DC=smbtest,DC=xiv,DC=com' -d 10" 
Where domain2 is the child domain of domain1 to which I am joined. 

This seems to fail because with the following log line: 
"ads_do_paged_search_args: ldap_search_with_timeout((objectclass=*)) -> 
Referral" Which, according to the comment in the code is caused by the 
fact that the system does not support ldap referrals.

The other method was to query the second domain directly. I tried using 
"net ads search -w domain2 -P objectClass=*", but it fails because the 
realm is not configured, and cannot be configured using the net ads search 
command. I added a little patch to the code of the command to allow a 
realm to be set with the "-q" param and searched using "net ads search -w 
domain2 -q domain2.smbtest.xiv.com -P objectClass=*" and got no reply. 
However, after configuring the krb5.conf and running "kinit administrator" 
(and giving the administrator password), it started working. However, I 
still would like to avoid re-entering the credentials after the initial 
setup of the system (and the ticket created by kinit has a time limit). I 
also tried to create a keytab (using net ads keytab) and use it for the 
kinit, but without success.

I'm sorry if this mail is a bit confusing. I would like to know if any of 
the approaches I use seems logical, and if not, if there is any other 
approach which you can suggest (not necessarily using the net ads 
search/dn commands) to enumerate user/group info from trusted domains. I 
can also provide some more information on the system configuration or 
provide logs, if needed - I just want to understand if any of the methods 
below is worth further investigation.

Thanks!

Nimrod Sapir
IBM - XIV, Israel
NAS Development Team
Office: +972-3-689-7763
Cell:   +972-54-7726-320
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 1338 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130116/38298cc8/attachment.gif>

More information about the samba-technical mailing list