net-ads-search on a standalone domain-controller

[Isaac Boukris]

On Wed, Jan 24, 2018 at 5:30 PM, Isaac Boukris <iboukris at gmail.com> wrote:
> Hello,
>
> I'm trying net-ads-search on a freshly provisioned DC (git master) and
> if fails, both -P and -Uadmin option.
>
>  [root at kdc samba]# /usr/local/samba/bin/net ads search cn=admin
> userprincipalname -P
> kerberos_kinit_password EXAMPLE at EXAMPLE.COM failed: Client not found
> in Kerberos database
>
> [root at kdc samba]# /usr/local/samba/bin/net ads search cn=admin
> userprincipalname -Uadmin
> Enter admin's password:
> kerberos_kinit_password EXAMPLE at EXAMPLE.COM failed: Client not found
> in Kerberos database
>
> On the other hand net-ads-kinit works fine.
>
> [root at kdc samba]# /usr/local/samba/bin/net ads kerberos kinit -P
> [root at kdc samba]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: KDC$@EXAMPLE.COM
> Valid starting     Expires            Service principal
> 01/24/18 15:22:13  01/25/18 01:22:13  krbtgt/EXAMPLE.COM at EXAMPLE.COM
>         renew until 01/31/18 15:22:13
>
> [root at kdc samba]# /usr/local/samba/bin/net ads kerberos kinit -Uadmin
> Enter admin's password:
> [root at kdc samba]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: admin at EXAMPLE.COM
> Valid starting     Expires            Service principal
> 01/24/18 15:22:38  01/25/18 01:22:38  krbtgt/EXAMPLE.COM at EXAMPLE.COM
>         renew until 01/31/18 15:22:38
>
> It appears that we don't use the same account name for ads-search as
> we do for ads-kerberos-kinit when running on a DC, in
> ads_kinit_password(), see:
> https://buildfarm.opencsw.org/source/xref/samba/source3/libads/kerberos_util.c#41


Any thoughts on this? Why do we try to get a ticket for
lp_workgroup()@REALM if we are a DC, and does it make sense for
net-ads-search context?

> If I remove the above check, net-ads-search works fine with  (both -P and -U).
> I wonder if this check is relevant when running in net-ads context,
> and if it isn't how do you tell.
>
> Thanks!