net-ads-search on a standalone domain-controller

Isaac Boukris iboukris at gmail.com
Fri Jan 26 14:48:00 UTC 2018 

On Fri, Jan 26, 2018 at 12:53 PM, Isaac Boukris <iboukris at gmail.com> wrote:
> On Wed, Jan 24, 2018 at 5:30 PM, Isaac Boukris <iboukris at gmail.com> wrote:
>> Hello,
>>
>> I'm trying net-ads-search on a freshly provisioned DC (git master) and
>> if fails, both -P and -Uadmin option.
>>
>>  [root at kdc samba]# /usr/local/samba/bin/net ads search cn=admin
>> userprincipalname -P
>> kerberos_kinit_password EXAMPLE at EXAMPLE.COM failed: Client not found
>> in Kerberos database
>>
>> [root at kdc samba]# /usr/local/samba/bin/net ads search cn=admin
>> userprincipalname -Uadmin
>> Enter admin's password:
>> kerberos_kinit_password EXAMPLE at EXAMPLE.COM failed: Client not found
>> in Kerberos database
>>
>> On the other hand net-ads-kinit works fine.
>>
>> [root at kdc samba]# /usr/local/samba/bin/net ads kerberos kinit -P
>> [root at kdc samba]# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: KDC$@EXAMPLE.COM
>> Valid starting     Expires            Service principal
>> 01/24/18 15:22:13  01/25/18 01:22:13  krbtgt/EXAMPLE.COM at EXAMPLE.COM
>>         renew until 01/31/18 15:22:13
>>
>> [root at kdc samba]# /usr/local/samba/bin/net ads kerberos kinit -Uadmin
>> Enter admin's password:
>> [root at kdc samba]# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: admin at EXAMPLE.COM
>> Valid starting     Expires            Service principal
>> 01/24/18 15:22:38  01/25/18 01:22:38  krbtgt/EXAMPLE.COM at EXAMPLE.COM
>>         renew until 01/31/18 15:22:38
>>
>> It appears that we don't use the same account name for ads-search as
>> we do for ads-kerberos-kinit when running on a DC, in
>> ads_kinit_password(), see:
>> https://buildfarm.opencsw.org/source/xref/samba/source3/libads/kerberos_util.c#41
>
>
> Any thoughts on this? Why do we try to get a ticket for
> lp_workgroup()@REALM if we are a DC, and does it make sense for
> net-ads-search context?
>
>> If I remove the above check, net-ads-search works fine with  (both -P and -U).
>> I wonder if this check is relevant when running in net-ads context,
>> and if it isn't how do you tell.


Meanwhile, the attached patch solves the '-U' case by making sure we
don't assume a machine name when a username was specified (so DC bug
doesn't impact as we 'goto got_accountname' directly).

Review appreciated.
-------------- next part --------------
From 862a2c0a31efceb6d304007fc13d3c199906afbe Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris at gmail.com>
Date: Mon, 22 Jan 2018 18:40:17 +0000
Subject: [PATCH] net-ads-search: use specified username when given

Signed-off-by: Isaac Boukris <iboukris at gmail.com>
---
 source3/utils/net_ads.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index c83aced..7eb5014 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -302,9 +302,10 @@ retry:
 			ads_destroy(&ads);
 			return ADS_ERROR(LDAP_NO_MEMORY);
 		}
-       }
+	}
 
-	status = ads_connect(ads);
+	status = c->opt_user_specified ? ads_connect_user_creds(ads) :
+					 ads_connect(ads);
 
 	if (!ADS_ERR_OK(status)) {
 
-- 
2.1.0

More information about the samba-technical mailing list