net-ads-search on a standalone domain-controller
Isaac Boukris
iboukris at gmail.com
Wed Jan 24 15:30:03 UTC 2018
Hello,
I'm trying net-ads-search on a freshly provisioned DC (git master) and
if fails, both -P and -Uadmin option.
[root at kdc samba]# /usr/local/samba/bin/net ads search cn=admin
userprincipalname -P
kerberos_kinit_password EXAMPLE at EXAMPLE.COM failed: Client not found
in Kerberos database
[root at kdc samba]# /usr/local/samba/bin/net ads search cn=admin
userprincipalname -Uadmin
Enter admin's password:
kerberos_kinit_password EXAMPLE at EXAMPLE.COM failed: Client not found
in Kerberos database
On the other hand net-ads-kinit works fine.
[root at kdc samba]# /usr/local/samba/bin/net ads kerberos kinit -P
[root at kdc samba]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: KDC$@EXAMPLE.COM
Valid starting Expires Service principal
01/24/18 15:22:13 01/25/18 01:22:13 krbtgt/EXAMPLE.COM at EXAMPLE.COM
renew until 01/31/18 15:22:13
[root at kdc samba]# /usr/local/samba/bin/net ads kerberos kinit -Uadmin
Enter admin's password:
[root at kdc samba]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin at EXAMPLE.COM
Valid starting Expires Service principal
01/24/18 15:22:38 01/25/18 01:22:38 krbtgt/EXAMPLE.COM at EXAMPLE.COM
renew until 01/31/18 15:22:38
It appears that we don't use the same account name for ads-search as
we do for ads-kerberos-kinit when running on a DC, in
ads_kinit_password(), see:
https://buildfarm.opencsw.org/source/xref/samba/source3/libads/kerberos_util.c#41
If I remove the above check, net-ads-search works fine with (both -P and -U).
I wonder if this check is relevant when running in net-ads context,
and if it isn't how do you tell.
Thanks!
More information about the samba-technical
mailing list