net-ads-search on a standalone domain-controller
Isaac Boukris
iboukris at gmail.com
Fri Jan 26 14:48:00 UTC 2018
On Fri, Jan 26, 2018 at 12:53 PM, Isaac Boukris <iboukris at gmail.com> wrote:
> On Wed, Jan 24, 2018 at 5:30 PM, Isaac Boukris <iboukris at gmail.com> wrote:
>> Hello,
>>
>> I'm trying net-ads-search on a freshly provisioned DC (git master) and
>> if fails, both -P and -Uadmin option.
>>
>> [root at kdc samba]# /usr/local/samba/bin/net ads search cn=admin
>> userprincipalname -P
>> kerberos_kinit_password EXAMPLE at EXAMPLE.COM failed: Client not found
>> in Kerberos database
>>
>> [root at kdc samba]# /usr/local/samba/bin/net ads search cn=admin
>> userprincipalname -Uadmin
>> Enter admin's password:
>> kerberos_kinit_password EXAMPLE at EXAMPLE.COM failed: Client not found
>> in Kerberos database
>>
>> On the other hand net-ads-kinit works fine.
>>
>> [root at kdc samba]# /usr/local/samba/bin/net ads kerberos kinit -P
>> [root at kdc samba]# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: KDC$@EXAMPLE.COM
>> Valid starting Expires Service principal
>> 01/24/18 15:22:13 01/25/18 01:22:13 krbtgt/EXAMPLE.COM at EXAMPLE.COM
>> renew until 01/31/18 15:22:13
>>
>> [root at kdc samba]# /usr/local/samba/bin/net ads kerberos kinit -Uadmin
>> Enter admin's password:
>> [root at kdc samba]# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: admin at EXAMPLE.COM
>> Valid starting Expires Service principal
>> 01/24/18 15:22:38 01/25/18 01:22:38 krbtgt/EXAMPLE.COM at EXAMPLE.COM
>> renew until 01/31/18 15:22:38
>>
>> It appears that we don't use the same account name for ads-search as
>> we do for ads-kerberos-kinit when running on a DC, in
>> ads_kinit_password(), see:
>> https://buildfarm.opencsw.org/source/xref/samba/source3/libads/kerberos_util.c#41
>
>
> Any thoughts on this? Why do we try to get a ticket for
> lp_workgroup()@REALM if we are a DC, and does it make sense for
> net-ads-search context?
>
>> If I remove the above check, net-ads-search works fine with (both -P and -U).
>> I wonder if this check is relevant when running in net-ads context,
>> and if it isn't how do you tell.
Meanwhile, the attached patch solves the '-U' case by making sure we
don't assume a machine name when a username was specified (so DC bug
doesn't impact as we 'goto got_accountname' directly).
Review appreciated.
-------------- next part --------------
From 862a2c0a31efceb6d304007fc13d3c199906afbe Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris at gmail.com>
Date: Mon, 22 Jan 2018 18:40:17 +0000
Subject: [PATCH] net-ads-search: use specified username when given
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
---
source3/utils/net_ads.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index c83aced..7eb5014 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -302,9 +302,10 @@ retry:
ads_destroy(&ads);
return ADS_ERROR(LDAP_NO_MEMORY);
}
- }
+ }
- status = ads_connect(ads);
+ status = c->opt_user_specified ? ads_connect_user_creds(ads) :
+ ads_connect(ads);
if (!ADS_ERR_OK(status)) {
--
2.1.0
More information about the samba-technical
mailing list