net-ads-search on a standalone domain-controller

Isaac Boukris iboukris at gmail.com
Sun Jan 28 09:52:54 UTC 2018 

On Fri, Jan 26, 2018 at 4:48 PM, Isaac Boukris <iboukris at gmail.com> wrote:
> On Fri, Jan 26, 2018 at 12:53 PM, Isaac Boukris <iboukris at gmail.com> wrote:
>> On Wed, Jan 24, 2018 at 5:30 PM, Isaac Boukris <iboukris at gmail.com> wrote:
>>> Hello,
>>>
>>> I'm trying net-ads-search on a freshly provisioned DC (git master) and
>>> if fails, both -P and -Uadmin option.
>>>
>>>  [root at kdc samba]# /usr/local/samba/bin/net ads search cn=admin
>>> userprincipalname -P
>>> kerberos_kinit_password EXAMPLE at EXAMPLE.COM failed: Client not found
>>> in Kerberos database
>>>
>>> [root at kdc samba]# /usr/local/samba/bin/net ads search cn=admin
>>> userprincipalname -Uadmin
>>> Enter admin's password:
>>> kerberos_kinit_password EXAMPLE at EXAMPLE.COM failed: Client not found
>>> in Kerberos database
>>>
>>> On the other hand net-ads-kinit works fine.
>>>
>>> [root at kdc samba]# /usr/local/samba/bin/net ads kerberos kinit -P
>>> [root at kdc samba]# klist
>>> Ticket cache: FILE:/tmp/krb5cc_0
>>> Default principal: KDC$@EXAMPLE.COM
>>> Valid starting     Expires            Service principal
>>> 01/24/18 15:22:13  01/25/18 01:22:13  krbtgt/EXAMPLE.COM at EXAMPLE.COM
>>>         renew until 01/31/18 15:22:13
>>>
>>> [root at kdc samba]# /usr/local/samba/bin/net ads kerberos kinit -Uadmin
>>> Enter admin's password:
>>> [root at kdc samba]# klist
>>> Ticket cache: FILE:/tmp/krb5cc_0
>>> Default principal: admin at EXAMPLE.COM
>>> Valid starting     Expires            Service principal
>>> 01/24/18 15:22:38  01/25/18 01:22:38  krbtgt/EXAMPLE.COM at EXAMPLE.COM
>>>         renew until 01/31/18 15:22:38
>>>
>>> It appears that we don't use the same account name for ads-search as
>>> we do for ads-kerberos-kinit when running on a DC, in
>>> ads_kinit_password(), see:
>>> https://buildfarm.opencsw.org/source/xref/samba/source3/libads/kerberos_util.c#41
>>
>>
>> Any thoughts on this? Why do we try to get a ticket for
>> lp_workgroup()@REALM if we are a DC, and does it make sense for
>> net-ads-search context?
>>
>>> If I remove the above check, net-ads-search works fine with  (both -P and -U).
>>> I wonder if this check is relevant when running in net-ads context,
>>> and if it isn't how do you tell.
>
>
> Meanwhile, the attached patch solves the '-U' case by making sure we
> don't assume a machine name when a username was specified (so DC bug
> doesn't impact as we 'goto got_accountname' directly).


Oh, there is yet another use-case where neither '-P' nor '-U' are given.
In that case we seem to use the current logged on user (and ask for
its password), but we do not set 'opt_user_specified' so I think it'll
might end up being treated as a machine account.

HTH

More information about the samba-technical mailing list